Building a Replica Hackers Pager

Ever since I saw Hackers (1995), I always wanted one of the iconic yellow pagers that Cereal Killer sports at various points during the film. I missed out on the whole era of pagers, but I always thought there was just something cool about them that seems a little less amazing now that we are in a text-messaging world.

The Motorola Advisor from the film.

Many months ago, I became aware of an awesome website called Hackers Curator that attempts to index every prop (among other great things) from the Hackers film, and even make some reproductions. Of course, they showcased the iconic Motorola Advisor pager, and even gave a custom-made replica away to an online buddy of mine via a scavenger hunt contest. I inquired to see if they had any for sale, and they did, but a single pager from them was outside of my price range. I thought I could so something similar for significantly less money — and it turns out that I can (you can too)!

I in no way want to sound as though I am disparaging Hackers Curator. I think they do a really good job, and I’ve even contributed a few scans to their site. If you don’t like the idea of piecing together supplies to customize your own pager, don’t have a lot of free time, or just don’t like getting spray paint over your hands, I’d definitely recommend you send them an email to see if they have any pagers in stock. I’d also like make it known that they have a video on their YouTube channel that outlines how they made one of the pagers. I got a few ideas from their video, but ultimately used a few different techniques and hope to share my individual findings (and source files!) to create a more complete build solution guide for tinkerers out there.

Build List

  • Motorola Advisor pager – $10+
  • Krylon Fluorescent Yellow spray paint – $4
  • Krylon All Purpose Bonding White Primer spray paint – $4
  • Masking tape – $1
  • Fine grit sand paper – $1
  • X-Acto Knife (or other precision cutting tool like a razor blade or box cutter- $1-$5
  • Scrap cardboard (to put the pager body on for painting) – Free
  • 5x Sheets waterslide decal paper (and a printer to print on it with) – $4-$8
  • 1x Sheet metallic-gold paper – $1
  • Motorola sticker (optional) – $3

The heart of this project is of course the Motorola Advisor pager. Technically, there are two different versions of the original Motorola Advisor, and the difference comes down to the arrow buttons having triangles inset into the rubber or just printed right on top. Cosmetically, this doesn’t seem to make much of a difference, but if you want to be accurate to the movie I believe the pager they use has the inset triangles. Also keep in mind there have been many Motorola pagers in the Advisor line, like the Advisor II, Advisor Gold, Advisor Elite, etc. I may have made some of those up, but it’s hard to tell when they have names like that. You just want the original blocky one. I ended up just buying the most inexpensive one I could find on eBay, for $10 including shipping. The internals in mine appear to work, but if you are just making a prop, it likely doesn’t matter if the thing works at all. You may also notice that a lot of these pagers have some other company’s name in the front nameplate where “Motorola Advisor” should be. This is fairly common, so unless you happen to find a sticker that will fit over top of the weird company’s name, you might want to pay a little more for a pager that actually says “Motorola Advisor.”

You’ll want to get some spray paint to paint the pager with, and I recommend a basic white primer to cover up the black plastic entirely, and fluorescent yellow paint to match the color of the pager in the film. For whatever reason this paint has awful reviews online, but works great and even glows under black light! More on that later. Aside from the paint, you will want some basic supplies like masking tape (to tape off areas on the pager you don’t want paint on), an X-Acto (or other precision cutting tool to slice of excess masking tape), some fine grit sand paper (to sand down some paint during finishing to make the pager look worn), and scrap cardboard (or wood, etc. to place the pager body on for painting). For these supplies, I used stuff I had around, which included 100 grit sandpaper that I probably should not have used as it was too low grit. You may want to get a variety of sandpaper and work your way down the grit levels. Lastly, before I forget, unless you have long fingernails, you are going to want some sort of pry tool like a small jewelers screwdriver or guitar pick (which is always good to keep in the tool box).

The last important items you will need to get are waterslide decal paper and metallic-gold craft paper. Waterslide paper allows you to print directly onto a paper-backed transparent plastic film that you will later apply to the pager’s screen (from the back). They make different types for laser and inkjet printers, so be sure to buy the proper type for the printer you have. I bought a pack of five sheets so I had some extras if I messed up or wanted to do a slightly different design at some point. The metallic-gold craft paper is easy to find in a giant sheet at any craft store, just inspect it before you buy it as some sheets looked streaky. We will use this gold paper as a backing for our waterslide paper.

Disassembly

Okay, so now we have our pager.

The majestic Motorola Advisor!

Flip it over and remove the battery cover. It should slide out from top to bottom.

Battery cover removed.

Next, we need to open it up. If we flip the pager onto its side, we can locate the locking plastic tab keeping it together. These pagers have a tool-less assembly, so we can pry up this piece of plastic by slipping a fingernail or a piece of plastic (okay, or a jewelers screwdriver) into the crease closest to the corner (shown at the right of the picture here) and sliding the cover to the right, towards the pried-up end.

The plastic cover should slide right out when you get it to this point.

At this point, the pager should basically break down into its components, which we can easily reassemble later. If you ever find a part that seems to be held in by adhesive (like a side of the screen), you can safely wiggle this loose using a small screwdriver and mild pressure. The actual LCD screen is attached to a separate plastic case piece through three plastic tabs that can be released (again) with a small screwdriver or prying device of some kind.

Depressing the tabs to release the screen.

Now, everything should be completely broken down.

All of the components separated.

Painting

Before we can actually do some painting, we need to tape off the areas that we don’t want any paint to get on. This includes, the screen, the name plate, plastic parts on the side, labels, or pretty much anything that isn’t black plastic. Apply tape liberally and use the precision knife to gently cut away excess.

Taping off the nameplate.

Make sure to also tape off components or clear plastics from the underside of the case as well! You don’t want back-spray to leave any paint flecks here. Also, I didn’t do this, but try to tape off the back of the locking plastic tab and corresponding parts of the case that the tab normally covers. This will make assembly and disassembly easier in the future if you want to get back inside the pager, the layers of paint can make it really hard to slide the tab out again!

Ready to go! There should be 5 pieces to paint.

The primer we have is designed to bond to plastic, so we should be good to go with a first coat. You might want to clean the pager’s shell with alcohol or maybe do some sanding here, but I didn’t find that necessary. Place the case pieces on some cardboard and paint them following the directions on the can. When done, follow the drying instructions as well. Two coats should cover the case completely.

Primer done!

Next up, the yellow paint! Again, follow the painting and drying instructions on the can. For this, I ended up doing three coats total, but two might be good enough.

Fluorescent yellow looking good!

We can now carefully remove the masking tape.

Tape removed.

At this point, we can start sanding down the edges of the pager to remove some layers of paint. Remember to work applying light pressure, as you can always take more paint away but not get any back. It helps if you keep a screenshot from the film nearby when working on your wear pattern.

After some sanding, we’re looking pretty good.

Preparing the Decal

The coolest part of this pager is going to be mimicking the display of the pager in the movie so it reads “GRAND CENTRAL HACK THE PLANET”. To achieve this, I had to combine a few different things.

First, I wanted make a canvas for the screen, so I made a Photoshop document sized at 2.628 inches by 0.872 inches (a little larger than the screen size) with a resolution of 250 pixels/inch.

Then, I wanted to work on the text. Instead of making the typeface from scratch, I found an almost identical typeface called LCD Solid, which is freely available. I was able to create two lines of text, and adjust the kerning so the characters were spaced out more like in the film.

Next, I used a screenshot from the film to draw the little display icons by tracing over them in the screenshot.  I ended up modifying them a bit to level them out and generally make them look a bit more flat. Ultimately, I was able to get a pretty close representation of the screen shown in the movie.

My completed screen.

You can download my finished PDF here for free. Please use it, and modify it, and make it better for other hackers to use!

The next step was to print it out on standard white computer paper, cut it down, and do a fit test to make sure it would look okay and not be cut off when it was printed on plastic for the final product.

Just holding a cut piece of white paper with the printed image shows how well it will fit.

Everything looked good, so now we can move on to printing on the waterslide decal paper. Our waterslide paper is clear plastic backed by white paper. After we print out our image on the plastic side, the paper is soaked in water and the backing slides off, leaving a “sticky” side we will affix to the back of our pager screen. Because of this, we will need to flip our newly created image horizontally before printing on the waterslide paper. Additionally, I copied and pasted the image many times to fill out the sheet of paper in the event that the application didn’t work or came out poorly. It is a good idea to do this to give several attempts as waterslide paper can be a bit tricky.

A big sheet of waterslide paper with the image printed all over it.

Now, we can cut away one of the decals and make sure it fits the space of the screen. Rough measuring can be helpful here.

Decal ready for application.

Follow the instructions included with waterslide paper to remove the backing. Generally, you will place the decal in a bowl of warm (not hot) water for 30 seconds then remove it. Flatten the decal out and line it up on the backside of the pager screen (text facing you). With your finder holding down the long edge of the decal, slowly work the backing up, away from your finger until it is completely removed. Use a cloth or your finger with light pressure to smooth out any wrinkles or air bubbles between the decal and the screen. Do not use a credit card or your fingernail if suggested by the waterslide paper instructions, this will scratch away some of the ink on the decal and leave it splotchy. If the decal doesn’t look good, don’t be afraid to start over. It can take a few tries to get the desired result.

Here is the applied decal posed next to a cropped screenshot of the pager from the film.

At this point, I assembled the unit, but was very dissatisfied by the gutter shadow between the screen and the display. Also, the display somehow had a ton of scratches that were not on the screen.

Look at that shadow!

You can also see that I applied my Motorola sticker to the nameplate at this point to make the pager look a little more stock. I could only find a “Motorola OPTRX” sticker for sale on eBay, so I used a Sharpie to black out the “OPTRX” text.

Here is the sticker before application.

But anyway, we want to eliminate that shadow. This is where the metallic-gold craft paper comes in. Cut a piece roughly the size of the screen, and place it between the screen and the display. No tape or glue is needed to secure it in place, it just stays in from friction. This is not only cheaper than spraying the area with gold paint, but it also makes it easier to change out the decal or reverse the whole modification so the original pager display can be used for any reason.

The completed pager.

One of my favorite properties of the fluorescent yellow paint is its ability to glow under black light.

The pager body pops under UV light.

Also, it looks pretty good in the holster.

Ready to be clipped on to a belt.

Conclusion

That finishes up the Hackers pager. There is a bit of room for improvement, but I’m really satisfied by the result. To see some of my progress posts and to see what others are doing, be sure to check the #hackerspager tag on Mastodon. In total this build cost me a bit less than $30.

Aside from showing this pager off at cons, I hope to one day look into modifying it to run POCSAG so it will act as an actual pager and not just a show piece. That’s definitely further down the line, however.

This guide is organic, and subject to change. Let me know if you attempt it, how it works for you, and if you successfully make a cool pager by using it! Don’t hesitate to reach out.

Hack the planet!

 

Building A PBX Part 4 — Hooking Up A Rotary Phone

This article is one in a series about building a PBX. If you haven’t already, please check out the first in the series, Building A PBX Part 1 — PBX Hardware.

So now that we a touch tone phone configured to work with our PBX, let’s focus on getting a rotary phone working. As mentioned briefly in part 3 of this PBX setup, rotary phones rely on pulse dialing, while touch-tone phones rely on tone dialing. Most ATAs (Analog Telephone Adapters. If you don’t know what this is, you should really read part 3) don’t support pulse dialing, meaning that if you hooked a rotary phone up to one, you wouldn’t be able to call out from it.

A cheap adapter that supports pulse dialing is the Grandstream HT502, which you can buy used for about $20 USD on marketplaces like eBay. Not only does the HT502 support pulse dialing, but it has two independent telephone ports, allowing you to configure two different phones (with different extensions!) through one ATA. This adapter was recommended to me by FozzTexx, and I have him to thank for introducing me to it.

Now that we have our HT502, we need to do some initial setup on the PBX to communicate with it. Log in to Incredible PBX via the web interface and go to Applications >> Extensions. There will probably be some existing extensions there, but we want to make a new one. So we can press the ‘Add Extension’ button, and choose ‘Add New CHAN_SIP Extension’ from the drop-down. CHAN_SIP is an older alternative to PJSIP, both of which are SIP protocol implementations. We need to use CHAN_SIP for the HT502 as it can only connect to the PBX at port 5060 for un-encrypted SIP traffic (PJSIP listens on port 5061).

Now we can fill out information for a new extension that will correspond to our phone on the General tab. Pick a User Extension (like 4321, something users on your PBX will dial to reach our), a Display Name (a nickname to identify this extension), and a Secret (just a password for this extension). Below in User Manager Settings, we will create a new user on the PBX for this extension. Under Link to a Default User, select Create New User, and then check the box below for Use Custom Username before adding a name into the Username field (I use the extension for this). Below, enter a password in Password for New User (I use the same one specified for Secret above).

The General Tab, under Add SIP Extension.

Now click on the Voicemail tab so we can set up some basic voicemail functionality. Under Enabled, select Yes to turn voicemail on, and provide a Voicemail Password (something 4-digits long, easy to enter via your phone works well). Optionally, toggle the selections for Require From Same Extension (so you need to enter the voicemail password when calling from your extension) and Disable (*) in Voicemail Menu (which allows access to the voicemail menu remotely) to Yes and No respectively. Additionally, you can supply an Email Address for voicemail notifications to be sent to, and you can toggle Play CID to Yes, which will read back the caller’s phone number before playing a voicemail.

The Voicemail tab, under Add SIP Extension.

We will leave all other settings on this and other tabs untouched, so press the ‘Submit’ button to save this extension.

Now, navigate to Applications >> IVR to get to the IVR (Interactive Voice Response) list. We will be modifying the DemoIVR, so click on the Edit icon for DemoIVR. We will be modifying the IVR so that when someone calls into our PBX, they can dial our extension and ring our phone.

The IVR page, under Applications.

Scroll all the way to the bottom of the Edit IVR: DemoIVR page to the IVR Entries section. You should have a blank box at the bottom under the Digits column, but if not, press the button titled ‘+ Add Another Entry’ to add a blank row. In the empty row, enter your extension (from earlier) in the Digits column (I use 4321), and from the drop-down in the Destination column, choose Extensions and then select your extension from earlier in the drop-down directly below (mine reads 4321 Rotary). When done, press the ‘Submit’ button to save the IVR.

Adding an IVR Entry to DemoIVR.

Finally, press the big red ‘Apply Config’ button at the top right of the page. This will apply the new config and make our extension/IVR changes live.

Now we need to configure our HT502 device. Physical setup is very easy. Plug the telephone into the Phone1 RJ-11 jack of the HT502 using an RJ-11 cable. Similarly, plug an ethernet cable into the RJ-45 jack labeled WAN on the HT502, and plug the other end into a spare jack on a network switch in the same LAN as your PBX. Finally, connect the power adapter up between the HT502 and mains, which will automatically boot the device (it will now light up some green LEDs). At this point, it is probably a good idea to factory reset the device by holding down the reset button on the HT502with a paperclip until it restarts (about 7 seconds). This will clear any old/junk configurations.

The HT502 up and running.

By default, the HT502 doesn’t allow web administration access over the WAN port, so you must either connect a computer to the LAN port of the HT502 to access the web interface, or connect a touch-tone phone (only for this step) into the Phone1 port to enable web access. If you opt to connect a touch-tone phone, the HT502 must be configured through the built in IVR. Pick up the handset on the phone and dial *** to launch the IVR. Then, dial 12 for the menu item corresponding to WAN port access. Finally, dial 9 to toggles the WAN port access on. You should recieve an audio confirmation that access is enabled, so you can hang up the call.

Now, check your router or nmap scan your network to find the IP address of the HT502 and visit it in a browser. We will be prompted for a password (admin) which we will need to enter to get to the dashboard to continue configuration.

From the top navigation, go to FXS PORT1 to configure SIP settings. Under Account Active, select Yes. For Primary SIP Server and Outbound Proxy, enter the IP address of our PBX. For SIP User IDAuthenticate ID, and Name, enter the extension we set up earlier (I’m using 4321). Under Authenticate Password, enter our Secret (password) that we used when setting up the extension. Finally, under DNS Mode, select Use Configured IP. Everything else should be fine as the default configuration.

Configuring FXS Port1 on the HT502.

When done, scroll to the bottom of the page and press the button for ‘Update’. The page will then reload, so scroll down to the bottom and press the button for ‘Apply’ to apply our settings.

After a few seconds, you should be able to go to STATUS via the top navigation and see our extension registered with the PBX.

FXS 1 is reading as Registered.

After giving the device enough time to reboot (about 5 seconds from what I’ve seen), we can now test incoming and outgoing calls to our phone. I’m testing using an old (and filthy) Western Electric 500.

The Western Electric 500.

To test incoming calls, from an external line (like a cell phone) dial the DID number to access the PBX (as you did in part 2 and part 3). When you can hear the IVR provide you with options, enter the extension we set up (4321), and wait a second or two. Your touch-tone phone should start ringing, allowing you to pick it up and connect the call!

To test outgoing calls, pick up the handset on your touch-tone phone (the one configured in this guide to work with the PBX) and dial 1 followed by an external phone number (like your cell phone). For example, if my cellphone had the number 555-123-4567 I would dial 1-555-123-4567 to place an outgoing call  (1 has been set up to dial out). Within a few seconds, the call should come in to your cell phone (or whatever external phone you are using) and even display the outbound CID you specified earlier as the caller ID (pretty cool, huh? Talk about easy spoofing). Answer the call to test if you can hear both sides of the conversation!

If you followed along with part 3, you should now have two phones configured on the PBX. Not only can these phones make and take calls externally, but they can also call each other! From Your rotary phone, dial 1234 (or whatever extension you used when setting up your touch-tone phone) to call your touch-tone phone, or from your touch-tone phone dial 4321 (or whatever extension you used when setting up your rotary phone) to call your rotary phone!

You should now have a rotary phone configured with your PBX that can make and receive calls! If you can’t seem to properly make or receive a call, check the config on both the PBX and HT502 to see if anything looks incorrect.

 

Building A PBX Part 3 — Hooking Up A Touch-Tone Phone

This article is one in a series about building a PBX. If you haven’t already, please check out the first in the series, Building A PBX Part 1 — PBX Hardware.

So now that we have incoming and outgoing calls configured on the PBX, we can actually hook up a touch-tone phone to make and receive calls!

Your standard phone is going to have an RJ-11 jack to interface with telecommunications equipment, but of course our Raspbery Pi setup doesn’t have any sort of dial-up modem card or anything that might make some sort of sense when it comes to wiring everything up.

We need what is known as an ATA (Analog Telephone Adapter), a device that sits on the local area network and interfaces with our PBX via TCP/UDP, while also simulating a traditional telephone network connection for our physical phone to use.

I purchased a very basic OBi100 ATA device to use with my touch-tone phone. It is important to note at this point that not all adapters support older rotary phones (which use pulse dialing, but more on that in a future article); pretty much any ATA will support touch-tone phones (which use tone dialing). That said, a lot of these devices have very cryptic configurations, and it might be difficult to find how to use them. The OBi100 has been discontinued, but it is fairly well documented and available used for around $10-$20 USD on sites like eBay.

Now that we have our OBi100, we need to do some initial setup on the PBX to communicate with it. Log in to Incredible PBX via the web interface and go to Applications >> Extensions. There will probably be some existing extensions there, but we want to make a new one. So we can press the ‘Add Extension’ button, and choose ‘Add New PJSIP Extension’ from the drop-down.

Now we can fill out information for a new extension that will correspond to our phone on the General tab. Pick a User Extension (like 1234, something users on your PBX will dial to reach our), a Display Name (a nickname to identify this extension), and a Secret (just a password for this extension). Below in User Manager Settings, we will create a new user on the PBX for this extension. Under Link to a Default User, select Create New User, and then check the box below for Use Custom Username before adding a name into the Username field (I use the extension for this). Below, enter a password in Password for New User (I use the same one specified for Secret above).

The General Tab, under Add PJSIP Extension.

Now click on the Voicemail tab so we can set up some basic voicemail functionality. Under Enabled, select Yes to turn voicemail on, and provide a Voicemail Password (something 4-digits long, easy to enter via your phone works well). Optionally, toggle the selections for Require From Same Extension (so you need to enter the voicemail password when calling from your extension) and Disable (*) in Voicemail Menu (which allows access to the voicemail menu remotely) to Yes and No respectively. Additionally, you can supply an Email Address for voicemail notifications to be sent to, and you can toggle Play CID to Yes, which will read back the caller’s phone number before playing a voicemail.

The Voicemail tab, under Add PJSIP Extension.

We will leave all other settings on this and other tabs untouched, so press the ‘Submit’ button to save this extension.

Now, navigate to Applications >> IVR to get to the IVR (Interactive Voice Response) list. We will be modifying the DemoIVR, so click on the Edit icon for DemoIVR. We will be modifying the IVR so that when someone calls into our PBX, they can dial our extension and ring our phone.

The IVR page, under Applications.

Scroll all the way to the bottom of the Edit IVR: DemoIVR page to the IVR Entries section. You should have a blank box at the bottom under the Digits column, but if not, press the button titled ‘+ Add Another Entry’ to add a blank row. In the empty row, enter your extension (from earlier) in the Digits column (I use 1234), and from the drop-down in the Destination column, choose Extensions and then select your extension from earlier in the drop-down directly below (mine reads 1234 TouchTone). When done, press the ‘Submit’ button to save the IVR.

Adding an IVR Entry to DemoIVR.

Finally, press the big red ‘Apply Config’ button at the top right of the page. This will apply the new config and make our extension/IVR changes live.

Now we need to configure our OBi100 device. Physical setup is very easy. Plug the telephone into the RJ-11 jack of the OBi100 using an RJ-11 cable. Similarly, plug an ethernet cable into the RJ-45 jack of the OBi100, and plug the other end into a spare jack on a network switch in the same LAN as your PBX. Finally, connect the power adapter up between the OBi100 and mains, which will automatically boot the device (it will now light up some green LEDs). At this point, it is probably a good idea to factory reset the device by holding down the reset button on the OBi100 with a paperclip until it restarts. This will clear any old/junk configurations.

The OBi100 up and running.

Now, check your router or nmap scan your network to find the IP address of the OBi100 and visit it in a browser. We will be prompted for a username and password (admin/admin) which we will need to enter to get to the dashboard to continue configuration.

On the left navigation, click on Service Providers >> ITSP Profile A >> SIP to view our SIP configuration. Uncheck the check-boxes in the Default column for ProxyServer and ProxyServerPort. Under the Value column for ProxyServer, put the IP address of our PBX. Under the Value column for ProxyServerPort, put 5061 (The port PJSIP is using on our PBX).

SIP configuration, under ITSP Profile A.

Now scroll down to the bottom of the page and press the ‘Submit’ button. You will now be at a confirmation page, but we aren’t done just yet.

On the left navigation, go to Voice Services >> SP1 Service. On the SP1 Service page, under SIP Credentials, uncheck the boxes under the Default column for AuthUserName and AuthPassword. Under the Value column, for AuthUserName enter our extension number (I used 1234) and for AuthPassword enter our extension Secret (the password we set for the extension).

SIP Credentials, under SP1 Service.

Again, Now scroll down to the bottom of the page and press the ‘Submit’ button. On the resulting confirmation page, press the ‘Reboot’ button in the top right corner to reboot the device. This will apply the new configuration we specified after the device boots after a few seconds.

The OBi100 confirmation page.

After giving the device enough time to reboot (about 5 seconds from what I’ve seen), we can now test incoming and outgoing calls to our phone. I’m testing using an old (and filthy) Western Electric 2500.

The Western Electric 2500.

To test incoming calls, from an external line (like a cell phone) dial the DID number to access the PBX (as you did in part 2). When you can hear the IVR provide you with options, enter the extension we set up (1234), and wait a second or two. Your touch-tone phone should start ringing, allowing you to pick it up and connect the call!

To test outgoing calls, pick up the handset on your touch-tone phone (the one configured in this guide to work with the PBX) and dial 1 followed by an external phone number (like your cell phone). For example, if my cellphone had the number 555-123-4567 I would dial 1-555-123-4567 to place an outgoing call  (1 has been set up to dial out). Within a few seconds, the call should come in to your cell phone (or whatever external phone you are using) and even display the outbound CID you specified earlier as the caller ID (pretty cool, huh? Talk about easy spoofing). Answer the call to test if you can hear both sides of the conversation!

You should now have a touch-tone phone configured with your PBX that can make and receive calls! If you can’t seem to properly make or receive a call, check the config on both the PBX and OBi100 to see if anything looks incorrect.

 

Building A PBX Part 2 — Configuring Incoming & Outgoing Calls

This article is one in a series about building a PBX. If you haven’t already, please check out the first in the series, Building A PBX Part 1 — PBX Hardware.

So now we’re ready to configure our PBX to interact with the global telephone network. This means that anyone in the world can call into our PBX, and we can call out.

Much like needing an ISP to connect a home network to the Internet, we will need a VoIP provider to hook into the telephone network.

There are many VoIP providers out there, but I chose VoIP.ms based on their pricing model. At the time of writing, their most basic plan costs $0.85 USD a month for incoming calls with an additional $0.009 USD per minute, and $0.01 USD per minute for outgoing calls. You can do quite a bit of experimentation with these rates for less than the cost of a cup of coffee. However, you need to note that you can only deposit funds into your account in increments of $25.00, so you will need to invest that much up-front. This initial deposit could last you for years depending on your usage.

After registering an account and depositing funds, log in to the customer portal and go to DID Numbers >> Order DID(s) in order to register a DID (Direct Inward Dialing) number. This number is what everyone will eventually call to access our PBX. The process is relatively simple, allowing you to pick an area code, and even do some searching if you want any of the digits to be in a certain order to spell out a word, or anything like that. Of course, you have to pick from a pool of numbers that aren’t already being used.

After we have our DID number, we need to configure our DID Routing by going to Main Menu >> Account Settings and clicking the DID Routing tab. From here, we can choose a POP server that is physically close to our PBX (for lower latency) and make sure that the Routing is set to SIP/IAX for our main account. When done, hit the ‘Apply All’ button at the bottom of the page. At this point, we can also take a little time to explore all of the options under account settings. Most options can be left as they are, but some like disabling international calls can safe-guard against mis-configurations and higher bills.

Choosing a server through VoIP.ms’ control panel.

Now we need to configure the PBX to actually use VoIP.ms. Log in to FreePBX and go to Connectivity >> Trunks. Here, we will edit the VoIPms trunk that is already pre-configured (minimally) in Incredible PBX. If you don’t have this trunk already, you can press the ‘Add Trunk’ button to create a new one (chan_sip should work just fine if it prompts you). “Trunking” is a method  in telecommunications that lets a system service many clients (like a tree trunk with many branches). From our perspective, this means that many people will be able to call in and interact with our PBX at once.

The Incredible PBX Trunks page.

On the General tab, give the trunk a name and an Outbound CallerID if you’d like (the number others will see calls coming from).

The General tab, under Edit Trunk.

On the Dialed Numbers Manipulation Rules tab, edit the dial patterns so the look like the following:

()  | 1NXXNXXXXXX
(1) | NXXNXXXXXXX
()  | NXXXXXX

The Dialed Number Manipulation Rules tab, under Edit Trunks.

On the sip Settings tab, enter the following configuration using your username (a sip username emailed to you from VoIP.ms, not what you log in with), secret (password you use for VoIP.ms, unless you changed it through their Account Settings), and host (you specified this when you chose a pop server, something like newyork4.voip.ms):

username=YOUR-6-DIGIT-VOIPMS-USERNAME
type=friend
trustrpid=yes
sendrpid=yes
secret=YOUR-VOIPMS-PASSWORD
qualify=yes
nat=yes
insecure=port,invite
host=YOUR-VOIPMS-POP-HOST
fromuser=YOUR-6-DIGIT-VOIPMS-USERNAME-AGAIN
disallow=all
context=from-trunk
canreinvite=nonat
allow=ulaw

The Outgoing tab, under sip Settings, under Edit Trunk.

The sip Settings tab also has a sub-tab for Incoming (you are currently on Outgoing). Click on that tab and enter a register string in the following format:

YOUR-6-DIGIT-VOIPMS-USERNAME:YOUR-VOIPMS-PASSWORD@YOUR-VOIPMS-POP-HOST:5060/YOUR-6-DIGIT-VOIPMS-USERNAME-AGAIN

The Incoming tab, under sip Settings, under Edit Trunk.

Press the ‘Submit’ button when done.

Now go to Connectivity >> Inbound Routes and press the button for ‘Add Inbound Route’. On the General tab, modify Set Destination to IVR (Interactive Voice Response), and choose the DemoIVR. All of the other tabs should have default settings. Press the ‘Submit’ button to save.

The General tab, under Inbound Routes.

 

The Advanced tab, under Inbound Routes.

 

The Privacy tab, under Inbound Routes.

 

The Fax tab, under Inbound Routes.

 

The Other tab, under Inbound Routes.

 

Next, go to Connectivity >> Outbound Routes and press the button for ‘Add Outbound Route’. The settings here will mostly mirror your trunk configuration. On the Route Settings tab, give the route a Route Name, and set the same Route CID you did for the trunk earlier. For the Trunk Sequence for Matched Routes setting, select the VoIPms trunk.

The Route Settings tab, under Outbound Routes.

On the Dial Patterns tab, make sure to use the same dial patterns set for the trunk earlier.

The Dial Patterns tab, under Outbound Routes.

We won’t need to change any settings on the Import/Export Settings or Additional Settings tabs.

The Import/Export Settings tab, under Outbound Routes.

 

The Additional Settings tab, under Outbound Routes.

Finally, press the big red ‘Apply Config’ button at the top right of the page. This will apply the new config and make our trunk/route changes live.

At this point, you should be able to call the DID number you got from VoIP.ms from any phone and have it reach your PBX, which will lead you to an automated menu with a few options. If you don’t get a friendly greeting and a bunch of options you can choose, check your config and see if anything looks incorrect.

We will test the outgoing calling in the next part of this guide when we set up a phone to interact with the PBX!

 

Building A PBX Part 1 — PBX Hardware

I’ve always had some sort of fascination with the telephone system. There is something that excites me about large systems in general, whether it has to do with computer networking, telephony, power, or even the postal service. Phone phreaking sort of plays into this fascination—we learn how the phone network works by poking and prodding until something interesting is discovered.

In 2012 or so, I set up by own PBX (or private branch exchange) using an original 256MB Raspberry Pi model B. The system worked great! I was able to take and place calls, hook in my trusty Western Electric phone, and play around with all of the different features I could figure out. Eventually, the system was powered down and put into a bin, mostly forgotten until earlier this year.

A few months ago I decided to resurrect my trusty PBX by completely recreating the original functionality I attained six years ago, with a few other little additions thrown in. I’ve decided to start this series of guides to document what I’ve been able to figure out (and maybe some stuff I haven’t yet). It’s for you as much as it is for me. Some of the configuration I’ve seen can be cryptic, and documentation disappears from the web constantly. It’s good to keep a set of internal documents if the system ever goes poof and need to be rebuilt. As fun as they may be, I aim to avoid those late nights gazing hopelessly at a console for who-knows-how-many hours while I try to derive some logical solution out of an elusive issue.

If you don’t know what a PBX is, it is easily equatable to a networking switch: the little box on your home network with a bunch of ethernet cables clipped into it. Your network devices communicate with one another through the switch, and possibly with other devices over the Internet if the switch is connected up to a router and modem. A PBX operates in a similar matter, with phones (physical or software-based) connecting to one another through it at a local site or to other phones in the telephone network, all over the world.

I wanted to accomplish a few things with my PBX, so I split functionality out into a few different areas:

1) Create a PBX using a spare Raspberry Pi. (DONE, see part 1. Wait, you’re already there.)
2) Be able to accept incoming calls. (DONE, see part 2)
3) Be able to make outgoing calls. (DONE, see part 2)
4) Connect a physical, touch-tone phone to the PBX. (DONE, see part 3)
5) Connect a physical, rotary phone to the PBX. (DONE, see part 4)

Additionally, I may expand this functionality further. I could hook up some sort of modem, install software on my PC so it can act as a phone, or even run a fax machine (thrilling, I know)!

Being that this is a learning experience, I’m also committed to spending as little money as possible (within reason). With a technology as old as telephony, there are a lot of cheap/used devices out there that can be had in abundance.

So, let’s get started with the PBX setup. Originally, I ran my installation on an older Raspberry Pi model B. It worked great then, but is definitely showing its age as software gets more and more bloated complex. In the world of open-source PBX software, the two big names you will probably hear are FreeSWITCH and Asterisk. People could discuss the pros and cons of each for hours, but for simplicity, I’ve chosen to use Asterisk as my backing system. Asterisk itself is a very old and capable piece of software, but an administrator can only configure it via editing text configuration files. This is a great way to learn the software at a low level, but I prefer to admin the system using FreePBX, a web-based GUI that sits atop Asterisk, for convenience and speed. While you can still run this fairly well on an original Raspberry Pi model B, I’d recommend at least using a Raspberry Pi 2 (like I am) if not something newer. Of course, you will also need a power adapter and a microSD card (16 GB is more than enough)

There are a few distributions that couple Asterisk/FreePBX on the Raspberry Pi, but I will be using the Debian-based Incredible PBX. Installation is easy enough if you have an SD card inserted on an exisiting Linux machine. Just make sure you do fdisk -l to determine the location of your SD card.

$ wget -O incrediblepbx13.13-raspbian8.zip https://downloads.sourceforge.net/project/pbxinaflash/IncrediblePBX13-13%20for%20Raspbian/incrediblepbx13.13-raspbian8.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fpbxinaflash%2Ffiles%2FIncrediblePBX13-13%2520for%2520Raspbian%2Fincrediblepbx13.13-raspbian8.zip%2Fdownload&ts=1531600211
$ unzip incrediblepbx13.13-raspbian8.zip
$ sudo dd bs=1m if=incrediblepbx13.13-raspbian8.img of=/dev/disk4

After dd completes, you can pop the SD card into your Raspberry Pi and boot it up.

The Raspberry Pi PBX is online!

Check your router or nmap scan your network to find the IP address of the new RPi machine and visit it in a browser. The FreePBX UI should pop up and allow you to login with admin/admin.

After a successful login, you will be presented with the FreePBX dashboard.

 

Emulating a z/OS Mainframe with Hercules

Note: I started writing this article back in 2015 and hit a few roadblocks that I’ve been able to finally reconcile in the last few months. There are a lot of similar guides out there (which I will reference in my sources), but I found them to be too ambiguous to be completely helpful. While I’ve learned a lot from writing this and troubleshooting the issues from existing guides, I am still far from a mainframe expert. There may be errors here, or things I could have accomplished in a better, more “proper” way. That said, I ultimately have a usable z/OS system up and running, and I hope I can help you have the same 🙂

Introduction

I recently became aware of the fact that mainframes are still alive and well in the corporate world. But why? Why not just use supercomputers? Mainframes aim to perform a high number of instructions per second, usually measured in the millions. If you hear someone talking about millions of instructions per second (MIPS), they’re probably measuring mainframe throughput. Supercomuters on the other hand aim to have a high number of floating-point operations per second (FLOPS). The difference is that mainframes usually deal with information processing in a short window while supercomuters usually deal with simulations requiring a lot of floating-point arithmetic. A supercomputer might be more suited to weather calculations on Jupiter, but a mainframe is still a better candidate for processing a lot of transactions like you might find in banking or airline booking systems.

Okay, but why not use some sort of content distribution network or cloud computing? For years, mainframes have been touted as the go-to for mission critical processing, with minimal downtime. While cloud computing is catching up in this regard, it can be argued that mainframes are still unrivaled when considering their efficiency and maintainability. One mainframe may be able to process a chunk of data more efficiently than thousands of linked machines in remote locations. Now, consider maintenance. Would you rather update one machine or thousands? And scalability? Many cloud providers supply controls to ramp up power when needed (such as during the holidays) or dial it back during more sleepy periods. Mainframes offer the same sort of control, and can easily scale up or down as needed without someone (or piece of software) needing to roll out or switch off a few hundred more servers.

Mainframes are an interesting piece of technology that still have a purpose, but they rarely discussed these days with the influx of new technologies in processing. It’s easy to try these services out, even for an amateur, but getting your hands on a mainframe is incredibly difficult in comparison. Even if you happened to be employed at a company still utilizing one, you would need training and shadowing sessions before even having the chance to touch a keyboard on a production machine.

Of course, there are ways to explore these systems without needing a physical unit, and that is what I’m going to get into momentarily. It is now possible to get your own taste of Big Iron right from your personal computer.

Requirements

Before we get into installing Hercules, an IBM mainframe emulator, you are going to need to find an image of z/OS. z/OS is the operating system of choice for modern IBM mainframes, but it is a little hard to get your hands on unless you actually have a full-scale system set up somewhere already. There are images of z/OS floating around the Internet that can be found, specifically version 1.10. I will not be sharing where these files can be found, and if you do find them, make sure you adhere to the software license while running z/OS.

Now, we also need a host system to support the Hercules emulator. While Hercules will run in Linux, Windows, and OSX, this guide will use a machine running Linux, specifically Debina 9 (Stretch). I will assume that you already have a system running Debian (or similar) and a non-root, sudo user with access to the z/OS files.

After all of this is set up, we can begin installation!

Configuring Hercules and c3270

First, we need to install some basic utilities and applications. But, one of them (c3270) is not available right away as it is classified as “non-free” software under Debian. You can still install packages like this, you just need to configure your system to do so. We need to edit the sources.list file to allow non-free packages.

Simply add non-free to the end of the stretch and stretch-updates sources by editing /etc/apt/sources.list with your favorite text editor:

$ sudo nano /etc/apt/sources.list

After editing, it should look like this:

$ cat /etc/apt/sources.list

deb http://ftp.us.debian.org/debian/ stretch main non-free
deb-src http://ftp.us.debian.org/debian/ stretch main non-free

deb http://security.debian.org/debian-security stretch/updates main
deb-src http://security.debian.org/debian-security stretch/updates main

# stretch-updates, previously known as 'volatile'
deb http://ftp.us.debian.org/debian/ stretch-updates main non-free
deb-src http://ftp.us.debian.org/debian/ stretch-updates main non-free

Now we are ready to install the packages we need. All of them can be installed by running the following command:

$ sudo apt-get install -y c3270 hercules

As this starts executing, go and put on a pot of coffee. As soon as you turn the machine on and walk back to your computer, this command will probably be through.

The above has installed hercules, our IBM system emulator as well as c3270, a IBM 3270-compatible terminal emulator that we will use to interface with our system.

Now, I’m going to assume you have the z/OS files somewhere on your Linux machine, possibly in a directory path like IBM\ ZOS\ 1.10/Z110SA/images/Z110\ -\ Copy. I will assume that the root IBM folder is in your home directory. We will reorder things by creating a directory MAINFRAME within the home directory to house the z/OS installation:

$ cd ~
$ mv IBM\ ZOS\ 1.10/Z110SA/images/Z110\ -\ Copy ~/MAINFRAME
$ cd ~/MAINFRAME
$ mkdir PRTR

We will now have the following heirarchy:

$ ls ~/MAINFRAME
CONF DASD PRTR

At this point, we need to edit the config file that Hercules reads to boot our mainframe. You can open up the config file in your favorite text editor and follow along with the lines we will modify:

$ nano ~/MAINFRAME/CONF/ADCD_LINUX.CONF

First, we need to edit lines 38/39/40 of the config to map to your PRTR, CONF, and DASD directories in your ~/MAINFRAME directory. We will be using full directory paths, so use your username in place of mine, famicoman.

#********************************************************************
# SYMBOLS DEFINITION *
#********************************************************************

DEFSYM DASD "/home/famicoman/MAINFRAME/DASD"
DEFSYM PROD "/home/famicoman/MAINFRAME/PROD"
DEFSYM PRTR "/home/famicoman/MAINFRAME/PRTR"

Now, we edit networking information on line 115. We will need two unused IP addresses on our local network. We can get our machine’s current IP address using the ip command.

$ ip address show eno1
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether fc:3f:db:09:60:59 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.248/24 brd 192.168.1.255 scope global dynamic eno1
valid_lft 81093sec preferred_lft 81093sec
inet6 fe80::fe3f:dbff:fe09:6059/64 scope link
valid_lft forever preferred_lft forever

Our Debian machine is located at 192.168.1.248. We can pick two additional addresses in the 192.168.1.1 – 192.168.1.254 range. 192.168.1.20 and 192.168.1.21 are currently unused so these will be chosen. 192.168.1.20 will be something of a virtual gateway for the mainframe (think of this sort of like an address for Hercules itself, which we will use as our entry point) while 192.168.1.21 will be an address for the z/OS machine. Keep in mind that 192.168.1.20 will be exposed to your network independently of your host machine, creating a logically separate machine. This means you can access it with its own address, and create separate firewall rules, port forwarding, etc. as though it was physical machine on your LAN.

We will replace the content at line 115 in the config with the following to create a virtual adapter to handle networking with our chosen addresses:

#********************************************************************
# CTCI COMMUNICATION DEVICES *
#********************************************************************
0E20.2 3088 CTCI /dev/net/tun 1500 192.168.1.20 192.168.1.21 255.255.255.255

Lastly, we edit line 31. This line changes the default port for Hercules console connections (made by c3270) from 23 to something of your choosing. I will be using port 2323 as I may be using port 23 otherwise, and it is not a privileged port.

CNSLPORT 2323

Now we can launch Hercules! (Do you smell your coffee percolating yet?)

I prefer to use screen sessions to keep thing organized (If you don’t have screen, install it with sudo apt-get install screen or just use tmux). This is also handy with using a virtual or remote host machine as you can keep the sessions going when not connected to the host. The below will place you in a new screen session where we will launch Hercules:

$ screen -S hercules

And now for the launch, specifying the config we edited earlier:

$ sudo hercules -f ~/MAINFRAME/CONF/ADCD_LINUX.CONF

Hercules will begin to load (and give you a lot of logs). Then you will be presented with the Hercules console.

The Hercules console after launching. Note our tun0 device opening and our custom console port specified.

Now, we want to create a 3270 terminal session with Hercules. So, hold <CTRL> + A + D to detach your screen session, returning you to your original console window on the Debian host. Next, create a new screen session for our 3270 connection:

$ screen -S c3270

Now in our new screen session, we will launch c3270 to connect into Hercules, emulating a 3270 connection to actual hardware:

c3270 localhost 2323

You should be presented with a Hercules splash screen:

The Hercules splash screen.

Detach from your c3270 screen session and reattach to the hercules session. It might be a good idea to open a new terminal window on the host machine to keep multiple screen sessions open at once. I suggest two terminal windows, one with hercules and one with c3270. To reattach your hercules screen session, use the below command after detaching:

$ screen -r hercules

Now that you are presented with the Hercules console again, you should see your connection from the 3270 session in the logs.

HHCTE009I Client 127.0.0.1 connected to 3270 device 0:0700

Booting z/OS

Now we can boot z/OS for the first time! In the Hercules console, type the following and hit <RETURN>:

ipl a80

z/OS will now boot. Your coffee should be done by now, so go grab a cup. I’ll wait.

Depending on the specs of the host machine, this could take a long, long time. The first boot took around 90 minutes for me, and could take even longer. At this point, you will get a lot of logging info in both the c3270 session and the hercules session. A lot of this looks like it could be reporting that something has gone horribly wrong, but don’t worry, it is likely okay. This is probably a good time to go for a walk outside with your coffee. Maybe take a good book and settle under a tree for a bit.

A Potential Boot Issue

I did run into the following message on my c3270 session at some point while attempting boot:

IXC208I THE RESPONSE TO MESSAGE IXC420D IS INCORRECT: IS NOT A VALID
ACTION
IXC420D REPLY I TO INITIALIZE SYSPLEX ADCDPL, OR R TO REINITIALIZE
XCF.
REPLYING I WILL IMPACT OTHER ACTIVE SYSTEMS.

If this happens to you, you can safely type the following in the c3270 session and hit <RETURN>:

R 00,I

This will allow z/OS to continue booting.

This message in the 3270 console halted boot-up. Entering the provided command can resume system startup.

If you are unsure whether or not z/OS is fully booted (It can be hard to tell), the easiest thing to do is open another c3270 connection to localhost (maybe create a new screen session via screen -S terminal). If you get the Hercules splash screen again you can safely close the session (<CTRL> + ], then type “exit”), wait a little longer, and try connecting again. Eventually, your second terminal session should connect and get to the log-on screen for your z/OS installation.

Welcome to the DUZA system!

To log in, we enter”TSO” at the prompt. When prompted for a username, enter “IBMUSER”.

Login starts by asking for a USERID.

Then, enter “SYS1” as the password.

The password gets blanked out as you type it.

From here, press <RETURN>, then the ISPF menu will launch.

You will get some brief messages after logging in. Press the <RETURN> key to go to the ISPF menu.

 

The ISPF menu serves as a gateway to a lot of system functionality.

Now in the ISPF menu, type “3.4” to load the Data Set List Utility.

Replace “IBMUSER” in the “Dsname Level” field with “DUZA” and press <RETURN>.

We will use the Data Set List Utility to locate our network settings.

Scroll down using the <F8> key in the Data Sets list and locate the one called DUZA.TCPPARAMS. With your cursor, click on the ‘D’ in “DUZA.TCPARAMS” and use the left-arrow key to navigate three spaces to the left. Type the letter ‘E’ and hit <RETURN> to see items in this data set.

We need to edit the TCPPARAMS for the DUZA system.

On the next screen, use your cursor to click on the first position on the line to the left of the word “PROFILE”. Type the letter ‘E’ and hit <RETURN> to edit this item.

Finally, we can edit the Profile.

Use <F8> to page down to line 90:

000090 DEVICE LCS1 LCS E20
000091 LINK ETH1 ETHERNET 0 LCS1
000092
000093 HOME
000094 10.0.1.20 ETH1
000095
000096 GATEWAY
000097 10.0.1.100 = ETH1 1500 HOST
000098
000099 DEFAULTNET 10.0.1.100 ETH1 1500 0
...
000109 START LCS1

Modify the lines so they look like the following with out IP addresses outlined earlier (and don’t forget line 109!):

000090 DEVICE CTCA1 CTC e20
000091 LINK CTC1 CTC 1 CTCA1
000092
000093 HOME
000094 192.168.0.210 CTC1
000095
000096 GATEWAY
000097 192.168.0.1 = CTC1 1492 HOST
000098
000099 DEFAULTNET 192.168.0.5 CTC1 1492
...
000109 START CTCA1

To save the updated config, place your cursor to the first underline character to the right of “Command ===>” and type “SAVE” followed by the <RETURN> key. Next, type “END” at the same location, again pressing the <RETURN> key.

Here is what the updated settings look like via the 3270 terminal:

Our updated networking is ready to save. Note the IP addresses we specified earlier when configuring Hercules.

Next, we need to recycle the TCPIP service on the system. Go back to your first c3270 console session (detaching your terminal session) and type “STOP TCPIP” followed by the <RETURN> key in the console.

STOP TCPIP.

Wait a minute or two and then type “START TCPIP” followed by the <RETURN> key. After both commands, you should see a lot of console output regarding the TCPIP service. After starting the service back up, wait a few minutes before proceeding to make sure everything has come back up.

After running START TCPIP.

After restarting the TCP service, we need to detach the session and do a few more things on our host machine.

Back on the Debian host machine we need to enable IPv4 forwarding and proxy arp with the following two commands to get networking sorted out:

$ sudo sh -c "echo '1' > /proc/sys/net/ipv4/conf/all/proxy_arp"
$ sudo sh -c "echo '1' > /proc/sys/net/ipv4/conf/all/forwarding"

Testing Networking

We can now test whether we can remote into our z/OS machine, and if we can get out from the inside. From the console on the host Debian machine, telnet to our mainframe using port 1023:

$ telnet 192.168.1.20 1023

Login with the credentials we used earlier (IBMUSER/SYS1) and try out a traceroute command:

Trying 192.168.1.20...
Connected to 192.168.1.20.
Escape character is '^]'.
EZYTE27I login: IBMUSER
EZYTE28I IBMUSER Password:
IBM
Licensed Material - Property of IBM
5694-A01 Copyright IBM Corp. 1993, 2008
(C) Copyright Mortice Kern Systems, Inc., 1985, 1996.
(C) Copyright Software Development Group, University of Waterloo, 1989.

All Rights Reserved.

U.S. Government Users Restricted Rights -
Use,duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM Corp.

IBM is a registered trademark of the IBM Corp.

IBMUSER:/u/ibmuser: >traceroute 8.8.8.8
CS V1R10: Traceroute to 8.8.8.8 (8.8.8.8)
Enter ESC character plus C or c to interrupt
1 192.168.1.21 (192.168.1.21)  1 ms  1 ms  1 ms
2 192.168.1.1 (192.168.1.1)  70 ms  4 ms  3 ms
3 71.185.57.1 (71.185.57.1)  5 ms  6 ms  4 ms
4 100.41.14.204 (100.41.14.204)  10 ms 100.41.14.206 (100.41.14.206)  8 ms 100.41.14.204 (100.41.14.204)  10 ms
5 * * *
6 * * *
7 140.222.0.187 (140.222.0.187)  10 ms 140.222.2.201 (140.222.2.201)  9 ms 140.222.0.187 (140.222.0.187)  6 ms
8 204.148.79.46 (204.148.79.46)  16 ms  11 ms  11 ms
9 108.170.246.33 (108.170.246.33)  12 ms 108.170.246.1 (108.170.246.1)  12 ms 108.170.240.97 (108.170.240.97)  10 ms
10 108.170.226.95 (108.170.226.95)  10 ms 209.85.254.75 (209.85.254.75)  15 ms 216.239.41.203 (216.239.41.203)  12 ms
11 8.8.8.8 (8.8.8.8)  11 ms  19 ms  10 ms

You can additionally try out some more Unix commands:

IBMUSER:/u/ibmuser: >uptime
07:55PM  up 6 day(s), 03:54,  1 users,  load average: 0.00, 0.00, 0.00
IBMUSER:/u/ibmuser: >uname -a
OS/390 DUZA 20.00 03 7060
IBMUSER:/u/ibmuser: >whoami
OMVSKERN
IBMUSER:/u/ibmuser: >ls
CEEDUMP.20050812.162501.65568  ptest.c                        setup1
SimpleCopy.class               ptest.o                        setup2
SimpleCopy.java                ptestc                         setup3
hfsin                          ptestc.trc.16842781            zfs
hfsout                         setup

Back in your second 3270 connection (which like me you may have named terminal), you can keep entering”EXIT” in the “Command ===>” field until you return back to the ISPF menu we saw earlier.

There are many options from the ISPF menu. Take some time to explore them when you get a chance!

From here, you can enter “6” in the “Option ===>” field to get to the Command menu. From here, you can try out other various commands like ping or netstat by entering them into the “===>” field.

Here is the output of netstat. Notice how previously used commands are cached for you.

Shutting it Down

You always want to make sure to shut down your mainframe in the proper way. Otherwise, you may end up with corrupted data or an unbootable system!

From your first c3270 session, enter in “S SHUTSYS”.

S SHUTSYS

Then after a little while enter in “Z EOD”.

Z EOD

Starting the shutdown process.

After a few minutes the machine will halt. Then, switch over to your Hercules console and enter in “exit” to close out Hercules.

exit

Rebooting the mainframe follows the same start-up process from initial boot, so you can easily come back to things.

Conclusion

That’s it, you now have a functioning mainframe! Albeit, it will be much slower than a real mainframe on real hardware (emulation on my machine usually only clocks between 5-12 MIPS).

Toggle back and forth between the console and graphical view in Hercules with the <ESC> key.

Feel free to explore the system, and start learning how to use z/OS and customize your installation!

Sources

 

On Wetware and Cybersmut — A Future Sex Retrospective

This article was originally written for and published at Neon Dystopia on January 9th, 2018 It has been posted here for safe keeping.

Of all the cyberpunk magazines I’ve ever come across, Future Sex is definitely the strangest. From the cover of the first issue, you know immediately that you haven’t seen anything quite like this before. A naked brunette with headlines screaming “Electronic Masturbation,” and “3D Digital Orgasms: Virtual Reality Sex,” all imposed over a candy-colored gradient background. Make no mistake, when you peel open the pages of this magazine, you’re going to get porn. Lot’s of porn— with several photo spreads and articles featuring not-so-modest coeds in each issue. But in the sea of smut, phone sex hotline advertisements, and good old-fashioned sex on CD-ROM lies a stockpile of futurist, sex-positive cyberpunk journalism. With articles on teledildonics and smart aphrodisiacs, Future Sex was covering subjects formerly delegated to the dark corners of the ‘net. Now, you could buy it all for $4.95 off of the newsstand.

Cover for the first issue of Future Sex. Read the whole issue here.

I bought my first issue of Future Sex in 2013 or 2014, decades after the magazine folded. It was most likely on eBay, though I have no idea how I was originally made aware of its existence. Shortly after receiving the issue in the mail, I made a quick scan of it and uploaded it to the Internet Archive before sharing a link online. At this point, I only had the fifth issue of the magazine but found the premise of it utterly fascinating. I couldn’t believe that something like this existed, and part of me still can’t.

Over the next few years, I collected a few more issues piece by piece but never thought much of it until I was contacted by Kyle Machulis, aka qDot, in 2016. For those who don’t know (much like me at the time), Kyle Machulis is something of a celebrity in the world of DIY sex toys and sex technology, running projects like Metafetish (formerly Slashdong) and buttplug.io. We became friendly over the topic of Future Sex and embarked on a project where we would track down every issue of the magazine to then scan and upload to the Internet Archive for everyone to read. With both of us getting magazine shipments and rapidly performing scans, we quickly completed the project after a few months and received coverage from VICE Media’s MOTHERBOARD and SexTechGuide. Speaking with Machulis about how he first found out about Future Sex, he revealed a much longer relationship with the publication:

I remembered seeing ads for it in the back of magazines (like Mondo 2000 and others) I was reading around the time it was published. I was at the horribly impressionable age of 13-14, so of course it stuck.

Some of the images from it, especially the Virtual Sex hardware layout, kept coming up over and over again, in articles about the future of tech, memes, things like that. That’s what got me thinking about it again 20-some years later. Since I’d gone from being confused-and-online teen to confused-and-online-and-sex-tech-website-running adult, it seemed relevant to dig it up again.

As great as it was to achieve a complete archive of Future Sex, there is still a lot unknown about it. The magazine was relegated to the dustbin of history, and many stories of its short life went with it. At the beginning of the 1990s, San Francisco was a hotspot for technology, as well as sex. It was where you went if you were weird and had off-beat interests— or kinks. “The early ’90s were a formative time for the Internet we know today, and I wanted to help in making sure that history was archived properly,” Machulis reflects, “While Future Sex would look fairly mild compared to the range of content available today, there was certainly some groundbreaking stuff in it at the time.”

R U into cybersex? Image from Future Sex issue 2.

Future Sex was started in 1992 and driven by Lisa Palac, a former film student, and senior editor at On Our Backs (1985) lesbian magazine, helmed by Susie Bright. Palac wasn’t always into such suggestive work. She was originally an anti-porn activist, though she ultimately changed her views as she began to question her Catholic upbringing and investigate the various taboos around sex and sexuality. While in school, Palac would go on to create erotic films, and even publish her own sex-themed pornographic zine before entering the literary world. As the cyber ethos spread through the Bay Area, it eventually hit Palac in a world-changing way.

Clip from the Virtual Reality episode of Futurequest, featuring Palac discussing “telesex” in 1994 (No, that’s not her in the thumbnail).

Journalist Jack Boulware, founder of satirical magazine The Nose (1988), shared an office with Future Sex in the early ’90s. Boulware claims that Future Sex was originally helmed by novelist, and godfather of cyberpunk, John Shirley before he was replaced with Palac by Kundalini Publishing after the first issue. While the masthead of the premier issue lists Shirley as a contributing editor, Palac receives top billing as Editor, and her words are the first you read as you are introduced to the publication. The staff of this issue reads like a list of guests you might find milling about a Mondo 2000 party at 3AM: Gracie, Richard Kadrey, St. Jude Milhon, and Bart Nagel to name a few. The familiar names make for a comfortable first issue of any publication— as long as your level of comfort was smart drugs and anarcho-leaning techno-counterculture.

Between the high-tech sex talk and multiple photo spreads, the sex-positive, feminist ideals of Palac are at the forefront. This isn’t your normal porno rag aimed at men, nor is it entirely aimed at women; it hits a more general group of sexual beings, poised to look towards the future of sexuality and new ways to get off. Palac is blunt, sarcastic, and snarky, but she’s honest about what she wants and where she sees things going in the world of sex. The next few issues showed refinements in layout and design as the magazine hit its stride. Content boomed with articles on cybersex, teledildonics, high-tech sex toys, and everything in between. Interviews with cyberculture personalities like William Gibson and R.U. Sirius lined the pages, along with discussions of the latest BBS or Usenet group to check out and meet like-minded individuals.

William Gibson gets in on the fun in Future Sex issue 4. Read the whole issue here.

In a lot of Future Sex articles, the technology seems alien. We bounce back and forth between industrial-looking equipment that would feel familiar in a 1970’s wood-paneled den, as well as more Cronenberg-esque devices like the CyberSM, which, well… you just sort of have to see for yourself. The virtual sex and teledildonic wet dreams of Ted Nelson and Howard Rhinegold never seemed more real. With models clad in leather, latex, steel, and chrome, we received a salty taste of what the next frontier in sex could offer us in the not-so-distant future.

Photos like this are some of those most memorable from Future Sex. Originally from Future Sex issue 2, this scan was actually taken from a 1993 issue of Australian games magazine named Hyper where the images were reused.

With page upon page of advertisements for sex software, expensive bulletin board access, and phone hotlines, you never forgot you were reading a pornographic magazine. Even Future Sex itself advertised all of the different credit cards it could accept for subscription via a full-color banner in the first issue. Though Future Sex had seemed to target all genders and sexual orientations, the advertisements felt old-fashioned and predictable, almost exclusively aimed at heterosexual males.

Future Sex wasn’t seen as a success by everyone. Carla Sinclair, then-editor of bOING bOING, critiqued the first issue, wishing that the publication would do a better job of melding sex and future tech together. While we do get a dose of sex technology in many articles, there are still articles that are clearly about sex or future tech, but not with one another. Sinclair further pondered if there was enough material to squeeze out of high technology being infused with the primitive, basic act of sex, something she saw as two opposites. While issues regularly featured high-tech sex articles, they came out in less and less of a trickle, eventually getting more flaccid over the life of the publication.

Lisa Palac once interviewed Mike Saenz, author of the first erotic software title for the Macintosh, MacPlaymate. Image of the software in action from wowbobwow of reddit.com/r/retrobattlestations.

By the end of the magazine’s run, articles seemed to focus less on our cyber-future and more on the general, alternative-sex scene. Future Sex ended its run in 1994 with a mere seven issues. Issue 7 makes no mention of being the last, which undoubtedly left readers wondering what had happened when nothing arrived in their mailboxes. Internally, Palac was cutting her ties from the magazine, being replaced by writer Lily Burana. While Burana began work on an eighth issue, it was ultimately never released before the magazine shuddered.

Though Future Sex was no more, Palac’s career was still on its way up. While at Future Sex, Palac was constantly bombarded for interviews or photoshoots about the hot new topic of cybersex. Between 1991 and 1993, she worked with Ron Gompertz to produce two Cyborgasm albums that used binaural audio technology in conjunction with erotic stories (Palac actually met Gompertz at Mondo 2000 party, and the two would later become briefly engaged). After Future Sex, Palac continued a career in journalism, and ultimately published a memoir The Edge of the Bed: How Dirty Pictures Changed My Life in 1997. Later, she would go into television, producing episodes of HBO’s Taxicab Confessions from 1999 – 2001. She currently works as a therapist in Los Angeles, California. Other Future Sex alumni such as Richard Kadrey and Jack Boulware have continued to write for various publications, and also release their own books.

While Future Sex has long been out of print, it certainly hasn’t aged gracefully. “I feel like the magazine is very much of its time, so a lot of the topics covered would really be seen as anachronistic today,” Machulis suggests when asked if Future Sex is still relevant. “That said, a lot of internet users these days are stuck in between extremely dated views of sexuality and an online society constantly shoving the newest, latest thing at them. The best I hope for with the archive work done is to establish maybe a history that can be referenced for trying to bring people up to date.”

As technology has grown and changed over the years, we see advancements in how it can impact and augment sex. Sex toys and related technologies like virtual reality have only become more sophisticated, and future of sex tech is continuing strongly. With pioneers like Machulis out there, it will likely continue to do so. When asked about the future of sex tech, Machulis has thoughts on that as well: “People are now getting so used to connected technology that the idea of remotely connected toys is becoming feasible to the mainstream, versus being the fever dream of tech nerds . . . we’ll start seeing some really interesting things happen. The thing I’ve learned is that I can’t predict what those things are, though. I was around through the Future Sex days and wouldn’t really have considered the rise of social media and the sociological trends it has kicked off. The future of the early ’90s underground tech magazines is the future I wanted and believed in, but certainly not the one we got wholesale.”

 

Generate A Vanity .onion Address For Your Tor Hidden Service Using Scallion

Ever wonder how Tor sites get those custom vanity .onion addresses such as silkroada7bc3kld.onion? These addresses can be generated by hidden service operators for production use, and are just as secure as the automatically generated (and often more cryptic) addresses.

Hidden service .onion addresses are really just the public part of a key pair. Utilizing asymmetric encryption, a hidden service uses the public key (a 16 character string that functions as the actual address prefix) and a private key (a much longer string that is known only to the hidden service) to verify the identity of the service. Anyone connecting to the public key can only do so if the hidden service has access to the private key. Under normal circumstances, only the service operator has access to that private key, so you could trust that the address has not been hijacked.

Keep in mind, while it takes a long time, it is possible for someone to generate the same keypair as another hidden service. While computationally expensive, entities able to throw enough resources at generating an identical address would be able to do so much more quickly than someone acting alone on a sole machine.

 

Generation with Scallion

Scallion is one tool that can be used for generation. Unlike previous tools for generation addresses, Scallion focuses on GPUs, meaning it works much faster than CPU-targeting utilities in most cases. In my experience, Scallion does not work on ARM devices (Use Shallot or Eschalot instead), but if you have an x86_64 processor and some sort of video graphics (integrated or otherwise), you should be good to go.

Let’s get started generating custom .onion addresses. I will assume that you have access to a Linux machine and are familiar with the terminal. I will be using Debian, but this guide should be easy to modify for most distributions.

First, install some dependencies and then clone Scallion onto your machine:

$ sudo apt install clinfo mono-complete mono-devel nvidia-opencl-common nvidia-opencl-dev nvidia-opencl-icd libssl1.0-dev beignet beignet-dev ocl-icd-opencl-dev ocl-icd-libopencl1
$ git clone https://github.com/lachesis/scallion.git

Now, we will move to the scallion directory, and build the scallion executable:

$ cd scallion
$ xbuild scallion.sln /p:TargetFrameworkVersion="v4.5"

Next, we will get a list of all of the devices that can be used for generating addresses:

$ mono scallion/bin/Debug/scallion.exe -l
Id:0 Name:Intel(R) HD Graphics Skylake Desktop GT2
    PreferredGroupSizeMultiple:16 ComputeUnits:24 ClockFrequency:1000
    MaxConstantBufferSize:134217728 MaxConstantArgs:8 MaxMemAllocSize:3221225472

We can see I have one device with an identifier 0 that I can target. You may have more than one device.

Now we can use Scallion to find an address that starts with a word or phrase of our choice. Let’s start Scallion with 8 threads, and have it use device 0. We will look for addresses that start with “apple”. After a little waiting, you should get some similar output with the .onion address (public key) and the private key:

$ mono scallion/bin/Debug/scallion.exe -t8 -d 0 apple
Cooking up some delicious scallions...
Using kernel optimized from file kernel.cl (Optimized4)
Using work group size 16
Compiling kernel... done.
Testing SHA1 hash...
CPU SHA-1: d3486ae9136e7856bc42212385ea797094475802
GPU SHA-1: d3486ae9136e7856bc42212385ea797094475802
Looks good!
LoopIteration:1  HashCount:16.78MH  Speed:98.7MH/s  Runtime:00:00:00  Predicted:00:00:00  Found new key! Found 1 unique keys.

  2018-01-03T00:24:24.645322Z
  applencoaipu4tqj.onion
  -----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCcDTg3+pON2oUclpStVlFVhtcpleNwtmdO3ZVuN2cPe9tyATjH
fye++edUSTwVm6EZZABrK3iSBdGAITXxRpc5dBM+SHPals6DEECRffa+d2QazJq2
xjhU7sfocXMzly+lALtE3T/I8yhFwcDlv/LGsWn6P9Hh2A2otDz3SCeGCQIEXGYD
DwKBgBkW9kDgDFafPvLhA0YIaDei5tBR5gJXt2vqabJfbi8P7RKF3GJ6vlHXu7xS
XikDmN5lJ+dAeFH5mH4mx0TAyfpjHvwrvCcVFPuXnt8ufDHYnRc5B8hYg/bpe0eS
9iZpSFKvq1Io49Wlt04KKAW86Nk0EJRPlkU6ewfOvs5AHI9vAkEAz+N847csHbcx
79RlBhvoT+GUYoSdKvtB+0pyv4mRYEV3SHFATVwXlTksOcPkI1dFVftkoXaEEld2
RTmsVlaLNQJBAMAqnKx+s4LAj2NxzBTpbcpeVY+DauWBoNMUo5Qdqm3SSV4hPsbd
Bf99XvCWS+7tD+jhks4mffOcKQZNK4JHVgUCQQDH6n4Uf2QWhZHvnY0niHE0ydiu
f2KIBc2spzWzcCWiyBqmtAbjhT3/HajJHB3zYdzHPrI0uVFHVqrjBnhRKSVjAkEA
vWUSQ9u4jPBH/z3ahdD6kbvQA90Jxo/JQgrwaHAUrli/SvmOC3xx/kSWLVPSlSk4
p96zeIgMolOS4Tfiff+newJAUaCQumLZori7RCT+2XOXFCoV03TLlujS8L+2sNH1
LPR8Brc3CBv+ZlleYnJCR4J88py8dFGYSYM95qmpCek1SA==
-----END RSA PRIVATE KEY-----

After generating a private key and address, you will want to use them with your Tor hidden service. The private key and address usually sit in files within the /var/lib/tor/hidden_service/ directory and are named hostname and private_key respectively.

 

For a full list of options and flags, we can run the scallion executable with the --help flag:

$ mono scallion/bin/Debug/scallion.exe --help
Usage: scallion [OPTIONS]+ regex [regex]+
Searches for a tor hidden service address that matches one of the provided regexes.

Options:
  -k, --keysize=VALUE        Specifies keysize for the RSA key
  -n, --nonoptimized         Runs non-optimized kernel
  -l, --listdevices          Lists the devices that can be used.
  -h, -?, --help             Displays command line usage help.
      --gpg                  GPG vanitygen mode.
  -d, --device=VALUE         Specifies the opencl device that should be used.
  -g, --groupsize=VALUE      Specifies the number of threads in a workgroup.
  -w, --worksize=VALUE       Specifies the number of hashes preformed at one
                               time.
  -t, --cputhreads=VALUE     Specifies the number of CPU threads to use when
                               creating work. (EXPERIMENTAL - OpenSSL not
                               thread-safe)
  -p, --save-kernel=VALUE    Saves the generated kernel to this path.
  -o, --output=VALUE         Saves the generated key(s) and address(es) to this
                               path.
      --skip-sha-test        Skip the SHA-1 test at startup.
      --quit-after=VALUE     Quit after this many keys have been found.
      --timestamp=VALUE      Use this value as a timestamp for the RSA key.
  -c, --continue             Continue to search for keys rather than exiting
                               when a key is found.
      --command=VALUE        When a match is found specified external program
                               is called with key passed to stdin.
                               Example: "--command 'tee example.txt'" would
                               save the key to example.txt
                               If the command returns with a non-zero exit code,
                                the program will return the same code.
 

Generate A Vanity .onion Address For Your Tor Hidden Service Using Eschalot

Ever wonder how Tor sites get those custom vanity .onion addresses such as silkroada7bc3kld.onion? These addresses can be generated by hidden service operators for production use, and are just as secure as the automatically generated (and often more cryptic) addresses.

Hidden service .onion addresses are really just the public part of a key pair. Utilizing asymmetric encryption, a hidden service uses the public key (a 16 character string that functions as the actual address prefix) and a private key (a much longer string that is known only to the hidden service) to verify the identity of the service. Anyone connecting to the public key can only do so if the hidden service has access to the private key. Under normal circumstances, only the service operator has access to that private key, so you could trust that the address has not been hijacked.

Keep in mind, while it takes a long time, it is possible for someone to generate the same keypair as another hidden service. While computationally expensive, entities able to throw enough resources at generating an identical address would be able to do so much more quickly than someone acting alone on a sole machine.

 

Generation with Eschalot

Eschalot is one tool that can be used for generation. Eschalot is based off of another tool I previously covered called Shallot. While Shallot only allowed for some basic matching with regular expressions, Eschalot gives the user a bit more control and even supports word lists. Eschalot will not be as fast as a tool like Scallion, but it is (in my opinion) more portable as Scallion seems to have issues running on ARM-based SOCs.

Let’s get started generating custom .onion addresses. I will assume that you have access to a Linux machine and are familiar with the terminal. I will be using Debian, but this guide should be easy to modify for most distributions.

First, install OpenSSL if we don’t have it, then clone Eschalot onto your machine:

$ sudo apt-get install openssl
$ git clone https://github.com/ReclaimYourPrivacy/eschalot.git

Now, we will move to the eschalot directory, and build the eschalot executable:

$ cd eschalot
$ make

We can now make sure everything is working using the builtin testing option:

$ make test
./worgen 8-16 top150adjectives.txt 3-16 top400nouns.txt 3-16 top1000.txt 3-16 > wordlist.txt
Will be producing 8-16 character long word combinations.
Reading 3-16 characters words from top150adjectives.txt.
Reading 3-16 characters words from top400nouns.txt.
Reading 3-16 characters words from top1000.txt.
Loading words from top150adjectives.txt.
Loaded 150 words from top150adjectives.txt.
Loading words from top400nouns.txt.
Loaded 400 words from top400nouns.txt.
Loading words from top1000.txt.
Loaded 974 words from top1000.txt.
Working. 100% complete, 31122412 words (approximately 377Mb) produced.
Final count: 31366539 word combinations.
./eschalot -vct4 -f wordlist.txt >> results.txt
Verbose, continuous, no digits, 4 threads, prefixes 8-16 characters long.
Reading words from wordlist.txt, please wait...
Loaded 31366539 words.
Sorting the word hashes and removing duplicates.
Final word count: 31363570.
Thread #1 started.
Thread #2 started.
Thread #3 started.
Thread #4 started.
Running, collecting performance data...
Found a key for kindland (8) - kindlandudsw7nga.onion
Found a key for loudhour (8) - loudhourvype7cyn.onion
Found a key for cutwaxwin (9) - cutwaxwinstsf6mk.onion
Total hashes: 177519717, running time: 10 seconds, hashes per second: 17751971

When done, simply clean up the test results:

$ make cleantest

 

Now is a good time to use Eschalot to find an address that starts with a word or phrase of our choice. Let’s start Eschalot in verbose mode, with 4 threads, and have it continue to look for addresses even after it has found one. We will look for addresses that start with “apple”. After a little waiting, you should get some similar output with the .onion address (public key) and the private key:

$ ./eschalot -t4 -v -c -p apple
Verbose, continuous, no digits, 4 threads, prefixes 5-5 characters long.
Thread #1 started.
Thread #2 started.
Thread #3 started.
Thread #4 started.
Running, collecting performance data...
Found a key for apple (5) - appleiujtls4awea.onion
----------------------------------------------------------------
appleiujtls3awea.onion
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDQo/ArZ/Em1/1wvTlpVSjV5eTnYelelzJ670kBsO8/Yjvq5GGu
M7LdAUVUBdrF9qO2I24eKNul0sam+jmvov8WvFAk2eSk2p5VefVabxvUvSiOVNwA
cw3XmHlbWPpriOmyFiTOQtzYXHqG4YNPna9VQMR5S+86hy4AEiJoJNEdpQIEAT1u
AwKBgF8uYVx00lZPzAUxAFmrw85H78001d767m+7OLWmj5dDSgC0nbNWHbICwP8y
fczIoQ/DLHGOHK1WtPiUXNw7E/EX3f4DQ3E0zssIRZOBhmy6D3umLUHBILI/6n/F
hzD8U/Zy3W6rgZ35Ib34Mv35Kq/d6DFUD7u6qWv8CrD0gt7zAkEA6ASM6cI/EaT+
iTh+OSt+Pdh6N3Kofe2QGbqb8Y99tsX07nHOzl8EH0kkIxO26RDuWdT5J3wRUCkA
UGyqVrefNwJBAOY0y7qkSTtLE1S/TwhMWc8mEWqewj4FVT+H/sY0hlfZ5VW7xMjf
usKD99eTDLgJ0joqpIOlmmUHAFHKCkdHwAMCQQDVBCQWZJ/qzFqmFvs20erbTzrk
4VNgV6QmOJDidMAxqyjyocUnA1/vASHJcJnunEsdXvpADVKsV3hwO4jSIxqPAkAs
yCr9mXF5c+wWErdlNdYmOTthqIeCxZssr0fRYVadbtfQ9rEHV0UFEdUp50JWAX3s
oy7t+b7kPoTpTteKshyTAkAPzLpDXQPEWKIJL5uqTR1G/iR7FlQ/jaFd44OCNtmz
azXGB3asSbLcmc3z9KnOb5xzeApPW7hIPy/yxYCgEdrE
-----END RSA PRIVATE KEY-----

Additionally, you can use the included worgen utility to generate word lists that can be fed into Eschalot. Below is an example series of commands that will generate 10-character strings by mixing nouns that are 3-10 characters long each, and then run the list through Eschalot. Eschalot comes with several different word lists included what can be used by the worgen utility.

$ ./worgen 10-10 nouns.txt 3-10 nouns.txt 3-10 > wordlist.txt
$ ./eschalot -vct4 -l 10-10 -f wordlist.txt > results.txt

After generating a private key and address, you will want to use them with your Tor hidden service. The private key and address usually sit in files within the /var/lib/tor/hidden_service/ directory and are named hostname and private_key respectively.

 

For a full list of options and flags, we can run the eshalot executable with no arguments:

$ ./eschalot
Version: 1.2.0

usage:
eschalot [-c] [-v] [-t count] ([-n] [-l min-max] -f filename) | (-r regex) | (-p prefix)
-v : verbose mode - print extra information to STDERR
-c : continue searching after the hash is found
-t count : number of threads to spawn default is one)
-l min-max : look for prefixes that are from 'min' to 'max' characters long
-n : Allow digits to be part of the prefix (affects wordlist mode only)
-f filename: name of the text file with a list of prefixes
-p prefix : single prefix to look for (1-16 characters long)
-r regex : search for a POSIX-style regular expression

Examples:
eschalot -cvt4 -l8-12 -f wordlist.txt >> results.txt
eschalot -v -r '^test|^exam'
eschalot -ct5 -p test

base32 alphabet allows letters [a-z] and digits [2-7]
Regex pattern examples:
xxx must contain 'xxx'
^foo must begin with 'foo'
bar$ must end with 'bar'
b[aoeiu]r must have a vowel between 'b' and 'r'
'^ab|^cd' must begin with 'ab' or 'cd'
[a-z]{16} must contain letters only, no digits
^dusk.*dawn$ must begin with 'dusk' and end with 'dawn'
[a-z2-7]{16} any name - will succeed after one iteration

You can also run the worgenexecutable with no arguments for a complete list of options:

$ ./worgen
Version: 1.2.0

usage: worgen min-max filename1 min1-max1 [filename2 min2-max2 [filename3 min3-max3]]
  min-max   : length limits for the output strings
  filename1 : name of the first word list file (required)
  min1-max1 : length limits for the words from the first file
  filename2 : name of the second word list file (optional)
  min2-max2 : length limits for the words from the first file
  filename3 : name of the third word list file (optional)
  min3-max3 : length limits for the words from the first file

  Example: worgen 8-12 wordlist1.txt 5-10 wordlist2.txt 3-5 > results.txt

              Generates word combinations from 8 to 12 characters long
              using 5-10 character long words from 'wordlist1.txt'
              followed by 3-5 character long words from 'wordlist2.txt'.
              Saves the results to 'results.txt'.

 

Generate A Vanity .onion Address For Your Tor Hidden Service Using Shallot

Ever wonder how Tor sites get those custom vanity .onion addresses such as silkroada7bc3kld.onion? These addresses can be generated by hidden service operators for production use, and are just as secure as the automatically generated (and often more cryptic) addresses.

Hidden service .onion addresses are really just the public part of a key pair. Utilizing asymmetric encryption, a hidden service uses the public key (a 16 character string that functions as the actual address prefix) and a private key (a much longer string that is known only to the hidden service) to verify the identity of the service. Anyone connecting to the public key can only do so if the hidden service has access to the private key. Under normal circumstances, only the service operator has access to that private key, so you could trust that the address has not been hijacked.

Keep in mind, while it takes a long time, it is possible for someone to generate the same keypair as another hidden service. While computationally expensive, entities able to throw enough resources at generating an identical address would be able to do so much more quickly than someone acting alone on a sole machine.

 

Generation with Shallot

Shallot is one tool that can be used for generation. Under the name onionhash, Shallot was first created and maintained by an anonymous developer named Bebop. After Bebop disappeared, development continued with the help of a programmer named `Orum who renamed it Shallot before disappearing himself. Eventually, katmagic moved the code to github where it lives today, but without active development. Over the years, other developers have made fixes, but none of them have been moved into the master branch of the application. Shallot will not be as fast as a tool like Scallion, but it is (in my opinion) more portable as Scallion seems to have issues running on ARM-based SOCs.

Let’s get started generating custom .onion addresses. I will assume that you have access to a Linux machine and are familiar with the terminal.

First, clone Shallot onto your machine:

$ git clone https://github.com/katmagic/Shallot.git

Now, we will move to the Shallot directory, and download and apply some patches:

$ cd Shallot
$ wget https://patch-diff.githubusercontent.com/raw/katmagic/Shallot/pull/9.patch
$ git apply 9.patch
$ wget https://patch-diff.githubusercontent.com/raw/katmagic/Shallot/pull/16.patch
$ git apply 16.patch
$ wget https://patch-diff.githubusercontent.com/raw/katmagic/Shallot/pull/25.patch
$ git apply 25.patch

Wait, what are these for?

  • Patch #9 fixes an off-by-one error that caused generation of incorrect keys.
  • Patch #16 adds an optimization for computing powers of 2 using a bitshift.
  • Patch #25 adds use of memcmp to speed up regular expression use.

Next, we will configure and make to build the shallot executable:

$ ./configure && make

We can now test it by generating an address that starts with “apple” utilizing regular expressions:

$ ./shallot ^apple

After a little waiting, you should get some similar output with the .onion address (public key) and the private key:

$ ./shallot ^apple
-----------------------------------------------------------------
Found matching domain after 9231616 tries: applelmehzgcx37v.onion
-----------------------------------------------------------------
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC1szzknIej9Cn32XEarL1TFJXGOWpllK8NDSLKsJfwBIW3kyFb
F996LeIX7wKomRuudZ8TfyCQsdL4XT27MvZTX/HTjYc1TErpw6s+0n1WXm/+sbgD
/8X1vpt/m4OLZS+JOgDSFNM9zi1Qy2GOAMGlyBA5nXKxo5h60vOA87RVowIEARq5
/wKBgBGN/v/RFriNmAd572mI8SiMK5NBO6yu33wz1kf15Xqh/K6QE9Tsr/htYNjr
/RBb7JgIDCXFl0Bsjfnqtsp/WPe5eWUJkzePpzrIyrgAgFneHYYPeKbhUuEwB20i
mFBKXgZmX2yK6BtJDMAjorq/E/hoe9ecKzGaTrv04LTquiIvAkEA43+W3lXBgUIE
EO9ckIHrQ94DvhCtwQGg1vQFLovbvgBL1rqDgmmrWrUrqjqAJXZj8Iou+k+Z9xkK
fn6O4WfMsQJBAMx2ymXmNI8mldwGcl18LvnYGeTCEy0pD6j2yM5LsBNj9G0ZKcFV
n9gAkG5VumCW3yNvGVao7s9B0cjw63n5jJMCQF1ETnd7YOZb20e6GPWxJ1jlXAG7
CapYtn42LBPD9JgNNw8RqKz+zOPu61kWFXMOQnlruLh127218FVsfbvilt8CQFi7
dTZ0DwIPQRwB5QaGe2ymXFSj1yMbDMh9Z/7TXcmdSnigfDfGykQN27qYPwB8CcTM
MfZszZukdmgYFYx+H8cCQDrGHNbtSePX53ATAf2nP6Wqzi438d4Aegev5qOaTLk6
ol+H4euHzOO7R/YmWcXRWSZAwFfmboNb5xMfR54SK+k=
-----END RSA PRIVATE KEY-----

The private key and address usually sit in files within the /var/lib/tor/hidden_service/ directory and are named hostname and private_key respectively.

 

For a full list of options and flags, we can run the shallot executable with no arguments:

$ ./shallot
Usage: shallot [-dmopv] [-f ] [-t count] [-x time] [-e limit] pattern
  -d        : Daemonize (requires -f)
  -m        : Monitor mode (incompatible with -f)
  -o        : Optimize RSA key size to improve SHA-1 hashing speed
  -p        : Print 'pattern' help and exit
  -f  : Write output to 
  -t count  : Forces exactly count threads to be spawned
  -x secs   : Sets a limit on the maximum execution time. Has no effect without -m
  -e limit  : Manually define the limit for e

The repository on Github also has a handy chart to estimate how long it will take to generate an address matching a certain number of characters on a 1.5GHz processor:

characters | time to generate (approx.)
-------------------------------------------------------------------    
1          | less than 1 second    
2          | less than 1 second    
3          | less than 1 second   
4          | 2 seconds    
5          | 1 minute    
6          | 30 minutes    
7          | 1 day    
8          | 25 days  
9          | 2.5 years  
10         | 40 years  
11         | 640 years  
12         | 10 millenia  
13         | 160 millenia  
14         | 2.6 million years