This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

My Sixth World

This is where I put stuff I’ve written about my campaign’s “fluff” - ie. the narrative and the fictional world.

How Stuff Works

SINs and licences

A brief overview of fake IDs in the Sixth World

The (Wireless) Matrix

How the wireless Matrix works, from an in-game perspective

Overview of what is possible with these rules

Game scenarios these rules attempt to capture

Making the Matrix

What the Matrix is made of: the backbone and the local mesh; hosts and other icons

Matrix icons

How things look in the Matrix

The augmented everyday

How augmented reality works and feels

Hacking the Matrix

Bending the Matrix to your will

Symmetric entropy pools

Hack-proof encrypted comms… with a twist

Other stuff

Smaller bits and pieces, plot devices, etc

Comparing these houserules to Shadowrun 5e/6e RAW

A quick list of the simplifying assumptions I have made

Tweaking Shadowrun's tech level

Trying to maximise the ‘cyberpunk feel’ by reducing technological sophistication

1 - How Stuff Works

How things work!

Gear and equipment

SINs and licences

A brief overview of fake IDs in the Sixth World

1.1 - Gear and equipment

How gear works!

1.2 - SINs and licences

A brief overview of fake IDs in the Sixth World

In a society defined by the haves and the have-nots, the sharpest line between them is the possession of a System Identification Number or SIN. A combination of citizenship, a passport, voting rights, and taxation obligations, it gives you the ability to live and work legally. To be SINless is to fall outside the system on almost every measure - no governmental support, no right to employment or vote, unable to use public facilities or transit, constanlly turned away from shops and restaurants.

What a SIN is

SINs are issued by a wide variety of governmental and extra-territorial corporate entities. They can be granted by birth or by a similar process to obtaining citizenship. Sometimes, corps grant them to particularly desirable hires. Often, corps use the threat of revoking someone’s SIN to keep their workers in line.

Physically, a SIN is merely a string of alphanumeric characters. The only human-readable part of it is a prefix code indicating the issuing entity - country or corp - who owns and controls the SIN. What counts isn’t so much the SIN itself as the data associated with it in various online hosts and datafiles.

SINs are the de facto unique identifier in the Sixth World. They are tracked everywhere, both in person and in the Matrix. Every interaction and transaction you have can be tied to your SIN and tracked in some database - and almost all of them will be. Hence every SIN has, trailing behind it, vast wakes of data, scattered across innumerable databases.

Those who don’t have a SIN - the SINless - are condemned to a life of misery. They are locked out of legal employment, of all banking, of reasonable healthcare. They cannot vote and they have no social safety net; even their basic civil rights are reduced. They face a lifetime of grinding for low cash-only wages and paying shady landlords high rent for shitty apartments, and praying that when they get sick there’s room at the charity hospital for them.

SIN broadcasts

Matrix protocols have a special sidechannel for SIN broadcasts, beamed out at all times from your commlink. These broadcasts are not quite legally required, but in any lower-middle-class or better area, not having an active broadcast is a screaming red flag that will definitely attract attention. (Note that in very rough parts of town, the kind where police only travel in entire squads or not at all, broadcasting a SIN becomes a mark that you are easy prey. Choose wisely.)

SIN checks

SINs can’t separate the privileged from the scum unless there’s a way to know which is which.

Simple ID checks

Every SIN issuer makes available a listing of basic personal information associated with the holder of the SIN: name, date of birth, metahuman race and ethnicity, home address, stuff like that. If you attract the attention of a beat cop on the street, you can expect them to pull this up; and if your SIN is fake and the details don’t match you, well, you’re in trouble now.

Unfortunately for the police (but luckily for our plucky criminals), the SIN database infrastructure is run by for-profit corps, so carrying out a check like this costs a fraction of a nuyen. So penny-pinching corps like Lone Star and Knight Errant put their cops on quotas, preventing the authorities from just checking everyone they see.

Consistency checks

If someone wants to go a bit further in verifying your SIN, the next step is to validate that the datastream attached to it looks legitimate. SINs are tracked everywhere, and that tracking information ends up in numerous databases owned by data brokers; these brokers' main line of business is selling access to the data to advertisers so they can track your every desire. But a lucrative sideline for them is running pseudo-AIs over each SIN’s profile to see how real it looks. This often catches out fake SINs, as generating a detailed, realistic, long-term history for a fake SIN is a lot of work.

Biometric checks

This is the most secure form of check; gather one or more biometics from the person in question (finger print, retina scan, even a DNA swab) and compare them to the biometrics stored on file for the SIN.

Just one problem: jurisdictions. SIN issuers do not make these biometric files readily available to anyone who asks, because the corps do not trust anyone with that data. Outside of investigations of very serious crime (eg. terrorism), most of the time, the only entity that can check biometrics is the corp or nation-state that issued the SIN.

The ins and outs of fake SINs

Lifestyle SINs

Every ‘runner has a fake SIN (or perhaps a set of fake SINs) that they live their day-to-day lives under: buying groceries, paying rent, running their GridGuide subscription, that sort of thing. They don’t use this for criminal work, because it would make them far too easy to track down. There is no overhead associated with this, it’s absorbed in day-to-day living costs.

Although they last a long time, these fake SINs aren’t particularly good, and can’t pass a lot of inspection. Most people interacting with it – like ‘runner’s landlords – most likely know it’s fake, but aren’t the kind of people who are looking too closely. This is one reason ‘runners tend to live in the less gentrified neighbourhoods.

Fake SINs

Where necessary, ‘runners can buy extra fake SINs for a job.

A fake SIN will pass simple ID checks from a beat cop on the street automatically. The fake datastream associated with the SIN might stand up to a consistency check, should the ‘runner try anything that might provoke one; for example, infiltrating a secure area through the front door via a fake identity. In Sprawlrunners game terms: roll a Notice check for whoever is inspecting the SIN to see if they spot any weirdness in the analysis results. This might be a +/- 1, depending on the resources of the corp doing the check.

Gear licences for these SINs are “open carry”, in the sense that the presence of the licence is automatically broadcast alongside the SIN. This can (obviously) attract attention, and often does.

Fake SINs are inserted into tracking databases via hacks that are quickly discovered and deleted. They are typically only useful for a week or so.

High quality fake SINs

If you’re really up to something nefarious, you can purchase a high-end fake SIN.

These are far better quality, with skilled counterfeiters creating near-impeccable fake histories spanning multiple databases. They pass all simple ID checks and consistency checks automatically. They might, or might not, pass a biometric test run against the SIN database of whoever ostensibly issued the fake. In game terms, this is a Notice check by the host/system running the scan - typically a d6-d10 rating.

Licences on high quality fake SINs can be open carry, or if the purchaser prefers, “concealed carry” – meaning the SIN broadcast does not tag the person as carrying concealed weaponry. They are still licensed, however, and get to be extra rude and snooty to any beat cops who notice their gun, stop them assuming they are unlicensed, then discover they are (seemingly) VIPs.

High quality fake SINs are still deleted after ~1 week, though, just like low-quality ones.

FAQs about SINs

Why can’t the cops look up my DNA/fingerprints/etc that I left at the crime scene?

Although many SIN issuers do gather and store a biometric profile, they don’t make this information available to the authorities (except, rarely, in the case of serious and high-profile crimes like terrorism.) So even if you do have a SIN in someone’s database, it’s very unlikely to be accessible to anyone investigating your crime… with the exception below.

What about criminal SINs?

Most nation-states will issue special “criminal SINs” to anyone convicted of crimes, petty or otherwise. If you’re unlucky enough to get issues a criminal SIN in, say, the UCAS, then any UCAS-jurisdiction cop is going to be able to read your fingerprints off their database. This can be a severe pain the ass for you and your criminal associates.

Even worse, criminal SINs are an exception to the hold-your-cards-close-to-your-chest rules most SINs are kept under. The SIN and its biometrics are shared widely and freely - that’s most of the point; a criminal SIN is an anchor you have to drag around forever. (Unless you have friends in high places who can get it wiped off the books, omae.)

Corporations don’t bother with criminal SINs. They prefer more immediate punishments.

2 - The (Wireless) Matrix

How the wireless Matrix works, from an in-game perspective

2.1 - Overview of what is possible with these rules

Game scenarios these rules attempt to capture

Deckers can use their cyberdeck in augmented reality mode to wirelessly connect to nearby devices: cameras, maglocks, other people’s commlinks and smartguns… They can exploit these connections to hack the device and sublety manipulate them: stealing data, listening to phone calls, looping camera feeds, opening doors. Or they can abandon subtlety and switch to cybercombat: crashing devices, flooding them with bad data and 0-day vulnerabilities until they are knocked offline entirely.

People can defend against deckers in a few ways. The simplest method is to form a private network controlled by your commlink. A network groups all their gear behind the controller, then establishes it as the beachhead connection to the rest of the matrix. Now, in order to hack the devices in a network, the decker first has to hack the network itself. It’s not a lot of extra protection (unless they have a really expensive commlink), but it’s something.

Deckers and riggers can form more powerful networks using their cyberdeck or dronedeck as as controller. These are harder to hack, as these devices are much more powerful than any commlink – and even if you do hack into them, the decker or rigger might notice.

Corp wageslaves working in a facility often use a network controlled by a powerful host. This provides a lot more protection. To hack devices on a host-controlled network, the decker first of all has to hack the host; that involves a trip into VR, leaving their meatbod behind as a floppy, vulnerable shell.

Hosts are also where corps keep their juicy (and valuable!) secrets, so deckers naturally gravitate to attacking them. Those secrets are guarded by ICE and by counter-decker security staff called spiders, so it won’t be easy. Hosts can be hacked via wireless connections if the decker can get within connection range, but it’s better to find a convenient device the host trusts and use it to establish a back door via a wired connection to its inner workings.

With wireless connectivity, deckers also loom large on the modern battlefield. They can host and defend tacnets, realtime AR overlays for members of their team that allow them to share tactical information. When the situation calls for stealth, they can reconfigure their network to hide on the Matrix, disguising dataflow between the devices to look innocuous. And finally, they can make powerful DoS Attacks against opponents, overloading their electronic gear with junk data to inhibit its functionality.

2.2 - Making the Matrix

What the Matrix is made of: the backbone and the local mesh; hosts and other icons

The third-generation Matrix of the 2070s is a technological marvel, delivering immersive AR and VR applications to users without the need for wires. But how does it manage such fast connections without requiring the user to physically connect a cable? The answer comes in two parts.

The backbone

The first part is the global grid, also known colloquially as the backbone. This is broadly equivalent to what was known in the early 21st century as “the cloud”; it’s the sum of all the physical infrastructure of fibre trunks, satellite uplinks, and other super-speed connections that connect all the Matrix’s hosts together. Within the backbone, speed is functionally infinite, and distance is no issue. But you can only use the backbone if you have a physical, wired connection to it. Nobody wants that.

Early 21st century cellular wireless standards are no help. The Matrix demands very fast high-frequency ultra-wideband radios, but they are easily blocked by the gleaming steel-and-glass towers of the sprawl. You’d never get a signal. How to square this circle?

The local mesh

The answer is a short range, peer-to-peer mesh network. Suppose Alice wants to check the latest updates on her P2.1 social feed. Her commlink sends the request to her neighbour Bob’s commlink. From there, it’s forwarded to Charlie’s commlink. And so it travels, until it reaches an uplink host - which has a hardline connection to the backbone. From there, it can speed off to its final destination. The P2.1 host sees the request, and sends the response back down the same link. This all happens in the blink of an eye.

Every Matrix device automatically self-organises itself into a reliable mesh network, and sets up forwarding and routing so that everything transparently works. This is the local mesh. At all times, your Matrix devices exist in a bubble, extending perhaps a hundred meters around you. Somewhere in that bubble is your closest uplink host, the one you will send backbone traffic to. But where is your traffic going? Well, for most people, it’s usually a host.


Hosts come in a few major types, depending on what kind of connection they have.

First, there are the aforementioned uplink hosts, sometimes called beanstalks. These bridge between the backbone and the local mesh, a bit like an old-time cell tower. People don’t really think about them too much; like any piece of reliable infrastructure, they fade into the background. But they’re there, scattered around the sprawl.

The most common type people interact with in their personal lives are cloud hosts. These are hosts made up of many physical servers distributed around the planet, all with their own connection to the backbone. They exist everywhere and nowhere at once. Cloud hosts are very powerful and very secure.

However, you can’t use cloud hosts for everything. When Wally Wageslave sits working in his office like a good little drone, that office’s various systems - heat, light, power, security, Wally’s files and emails - are all run by a host located inside the building. These local hosts work exclusively on the local mesh, without a backbone connection. Local hosts have one defined place of existence; somewhere, there’s some computers in a rack you can point to and say “this is the host for this building.”

Some of the more prominent and successful hacker collectives might run illicit local hosts, sometimes called dark hosts as they (for obvious reasons) do not advertise their existence like most legal hosts do.

Offline hosts are computers that are totally air-gapped, with no connection to the local mesh or the backbone. The only way to connect to them is directly via a cable. Offline hosts are often used for very important, secret file storage, and are placed in locations that are very physically secure.

But how do you actually get stuff done on the Matrix? Well, you interact with icons.


Everything on the Matrix is represented by an icon. Icons can look like anything; cartoonish symbols, abstract runes, photorealistic 3d images; anything (although most sane Matrix designers use icons that at least vaguely resemble what they are used for). Icons can represent one of a few different types of thing:

  • Tags: tiny little passive chips. They have no batteries or computing power of their own; they are powered by wireless power gathered from the Matrix. They typically hold and/or broadcast some number of files. They cannot be hacked, as such, as they lack any processor of their own. See Tags for more.
  • Files: any type of data (text, audio, video, computer code, …), stored on any type of medium (in a tag, on a commlink, in a host, on a storage chip, …).
  • Devices: toasters, cars, door locks, speakers, microwaves, etc etc etc. In the Sixth World, near enough everything that has electrons flowing through it also has a functioning Matrix connection of its very own. Devices can be directly connected to the matrix (unattended) or protected inside a network run by a commlink, ‘deck, or host.
    • Commlinks: special devices that people use to see and interact with the Matrix.
    • Cyberdecks: souped-up commlinks that can be used to bend the rules of the Matrix by hackers and counter-hackers. There’s also drone decks, which are similar but specialised and used to remotely control drones.
  • Hosts: as mentioned above, these are the “servers” of the Matrix; big computer systems you can go into and do stuff within. So the social network P2.1 has a host that you go into to read your friends’ updates, post messages, play games with them; that sort of thing.
    • Some hosts are so big that internally they are sub-divided into zones called nodes.

2.3 - Matrix icons

How things look in the Matrix

When you view the world in AR, your commlink or cyberdeck can overlay icons for any (and all) nearby matrix devices onto your vision. This is rather overwhelming - in an urban area, the local mesh can contain thousands of icons. So most people run filtering routines that hide most of them and only show ones deemed important. For example, in a crowded street, you might only show icons for commlinks for people you know, and hide the rest.

The mesh networking routing protocols that keep the wireless matrix working tracks the approximate position and motion of all these devices, so it can predict when devices are about to go out of range of each other and have fallback routes prepared to keep traffic flowing. AR leverages this information to position icons in the user’s sensorium in vaguely the correct place, relative to where the device is.

When the user has line-of-sight to the device, this positioning is quite accurate; glance at a coffee machine in AR and you’ll see its glowing matrix icon hovering just over it. When there’s no line of sight, position accuracy drifts randomly, often by a few metres. If you are in a shopping mall and your friend is in the store a few doors down from you, you’ll see an icon for their commlink, but it’ll appear vague and fuzzed-out so you know it’s only an approximate position.

When using VR inside a host, there is no need to make things correspond to meatspace. Icon positioning is arbitrary and governed by the sculpting of the host. Some hosts look like glowing neon wireframes, with icons clustered across an infinite 2d plane. Others are painstakingly rendered 3d environments with icons grouped logically and scattered across rooms or areas. The possibilities are limitless.

Types of icon

  • Tags: tiny, passive chips; see Tags.
  • Files: any type of data (text, audio, video, computer code, …), stored on any type of medium (in a tag, on a commlink, in a host, on a storage chipdrive, …).
  • Devices: toasters, cars, door locks, speakers, cameras, drones, microwaves, etc etc etc. In the Sixth World, near enough everything that has electrons flowing through it also has a functioning Matrix connection of its very own.
    • Commlinks: special devices that people use to see and interact with the Matrix.
    • Cyberdecks: souped-up commlinks that can be used to bend the rules of the Matrix by hackers and counter-hackers. There are also drone decks, specialised variants used by riggers to control drone networks.
  • Hosts: the “servers” of the Matrix; big computer systems you can go into in VR and do stuff within. Some hosts are so big that internally they are sub-divided into zones called nodes.
    • Inside hosts, you can see (lots of!) icons for files and connected devices.
    • Hosts also contain personas, which are VR icons representing people using the host. Personas can be very simple and generic, or highly customised and tailored to the person they represent. See Personas.
    • Hosts also contain ICE, intrusion countermeasure electronics. These are autonomous software agents that form the first line of defence against hostile deckers.

2.4 - The augmented everyday

How augmented reality works and feels

Interface issues: augmented reality is not telepathy

When a user is in VR, their body’s nervous system is partially shut down by a RAS override. One of the effects of this is that by blocking sensory input to the brain from the user’s body, it makes it much easier for their datajack to read their conscious and sub-conscious impulses. This, in turn, creates a really efficient control surface; the user can send instructions as fast as they can think.

AR doesn’t work like that, as it has no RAS override. The datajack has to try and pick out the impulses amongst a storm of unrelated sensory processing. For this reason, most control of devices via AR is done indirectly through holos (see below) instead of direct brain-computer interfacing as is typical in VR.

One area where AR can directly read thoughts quite successfully is via a sort of text-to-speech service. As long as the user deliberately and clearly forms words in their mind, their inner monologue can be picked up by the datajack and sent to a commlink or other device. This is often used for text messaging or sending very simple commands, eg. to turn a smart device on/off or fire a smartgun. Compared to doing stuff in VR, it’s glacially slow, though - only about the same speed as talking, perhaps a bit faster if the user has had a lot of practice.


For anything more complex than a on/off switch, the primary type of interface in AR is an Augmented Reality Object (ARO) - often called “arrows” or “holos” in everyday language.

For a user with a datajack, holos are inserted directly into their sensorium. They typically appear as semi-translucent neon glowing screens and buttons, floating in space (hence the name “holo”.) They can have sound elements, and usually have tactile elements too - holographic buttons and controls feel real when the user touches and presses them.

Holos can be private, viewable only by one person; this is typical for someone using their commlink via AR. They can be public, viewable by anyone; this is typical for advertising hoardings and billboards. Or they can be semi-private, shared with a selected group of people.

Working life

Perhaps surprisingly, a lot of work still happens in meatspace, with physical displays and interfaces.

The early promise of VR as an accelerator for productivity never emerged, for a variety of reasons. Firstly, using VR for extended periods of time is exhausting, both mentally and physically - it’s like running full-throttle for hours and hours. Few people can maintain the pace. Secondly, the sensation of being cut off from your body when it is in a public place is quite disconcerting to most people, and they find themselves constantly distracted by worrying about their meat. So outside of a small handful of elites working from private offices, most wageslaves only dip into VR occasionally for remote meetings and the like.

AR is more commonly used, but that also has limitations. For one thing, it’s not all that much faster to use than an old-fashioned screen and keyboard. And for another, using holos for detailed work like reading lots of text or running complex simulations often cause troublesome headaches or eyestrain if used for very long periods. So the typical wageslave bounces back and forth, dipping into AR screens while on the move, but falling back to large screens at their desks.

AR and VR without datajacks

Users who do not want or cannot afford datajacks can still get online, but with some big caveats.

VR can only be achieved with a clumsy ‘trode net worn around the head. Sensory fidelity is reduced, compared to a datajack, and speed is reduced. Worst of all, the trodes have to be placed in the right spots, and are easily dislodged if the user moves around while wearing them.

Users can get an AR overlay with a variety of sense link devices: smart contacts, glasses or goggles for visual, earbuds for audio, and feedback gloves for tactile elements. As with ‘trodes, these are clumsy and inferior to datajack interfaces, but they are usable. Civilian versions of these devices are mostly fairly delicate and easily damaged by rough handling in combat. Ruggedised versions exist, but are bulky and obvious.

2.5 - Hacking the Matrix

Bending the Matrix to your will

The end of encryption

The incorporation of early quantum processors into the first cyberdecks sent an earthquake through the tech world from which it never recovered. Even the strongest, best designed encryption of the day fell before it in fractions of a second. There could be no more secrets.

Today, things have improved only slightly; the most advanced encryption in the world still cannot hold up to sustained assault from a skilled hacker with high-end cyberdeck.

This single innovation has reshaped the world.

Rise of the spiders

Faced with the total loss of passive defence - ie. strong encryption of data - the megacorps had to pivot to active defence.

First, they built high walls around their kingdoms. Some of the most sophisticated pseudo-AI on the planet exists to run ICE: Intrusion Countermeasure Electronics. ICE patrols and defends the megacorp’s hosts tirelessly, rooting out invading hackers and - sometimes - frying their brains.

But ICE isn’t all-powerful, so the corps also set people to guard those walls. These counter-hackers, called spiders in the language of the street, sit in the middle of sprawling webs of sensors and alarms. Attract their attention, and they are swiftly dispatched to deal with you. And they are good, with all the equipment and training of their deep-pocketed masters.

The Grid Overwatch Division (GOD)

Each megacorp can hire its own security staff to patrol its own hosts, but that leaves the backbone itself vulnerable to attacks. It’s too important to leave undefended, so the Corporate Court formed the Grid Overwatch Division (GOD). GOD is a semi-autonomous organisation, tasked with defending public grid infrastructure, staffed by spiders and technicians loaned from the AA and AAA megacorps.

How to hack

Sending hacking traffic over the backbone is near-impossible. The uplink nodes are equipped with powerful coprocessors that carry out deep packet inspection, scanning for anything out of the ordinary. At the first sign of trouble, aggressive autonomous agents are deployed, rapidly followed by elite GOD spiders.

It is on the local mesh where the deckers can bring their powers to bear. Hampered by the need to maintain backwards compatibility with millions of devices that have fallen into planned obsolescence, and with even small changes to the protocols requiring dozens of squabbling corps to agree, the local mesh is… well, it’s a mess. Deckers exploit this ruthlessly, using vast databases of known vulnerabilities to carve through the laughable defences that devices rely on.

There is an obvious problem, though - the local mesh is small, typically extending only 50-100 metres. With the wireless matrix, Deckers need to get close to their targets. They can no longer sit in the safety of armoured bunkers, hundreds of miles from danger.

What to hack

Any device that is attached directly to the matrix is considered to be unattended. Civilian and even security grade unattended devices have very weak defences against hacking.

Most ordinary people will arrange all of their various matrix gadgets into a personal area network (PAN.) A PAN is controlled and monitored by their commlink, which routes all matrix traffic through itself. Devices in a PAN cannot be hacked individually; instead, the decker must hack the commlink instead. PANs are a little bit more difficult to hack than an unattended device, but the main benefit is that if the commlink notices the hack attempt it can alert the owner at once. They can then take action, such as shutting down their devices.

The corporate grown-up version of a PAN is a wide area network, or WAN. WANs are very similar but instead of a commlink they are controlled and monitored by a host. As with a PAN, you cannot hack individual devices in a WAN; you have to enter VR and hack the host directly. If you can get a direct cabled connection to a device that is part of the WAN, you can exploit that to more easily hack the host. For this reason, corps tend not to put easily-accessed exterior building defences like cameras or maglocks on their primary security WANs.

Finally, there are also secure PANs, or s-PANs. S-PANs are PANs that are run from a cyberdeck or drone deck and are being actively monitored by a decker or rigger. S-PANs cannot be hacked at all, as their admin will swiftly notice any hack attempts and take defensive action. They can only be knocked offline via cybercombat.


The local mesh protocols specify that all devices monitor all the traffic they can see to scan for hack attempts. This isn’t hard to avoid in the short term, but as a decker carries out more and more hacks using the local mesh against devices and PANs, it gradually becomes more and more difficult to hide. Once it reaches a critical level, GOD will deploy autonomous agents to hunt the decker down; if they are unsuccessful, a GOD spider will reinforce them. A skilled decker relies on speed and stealth to achieve their goals before this happens.

Hosts maintain their own alarm state, separate from the local mesh one as they are outside of GOD’s jurisdiction. They react to alarms by deploying ICE and security counter-hackers, as well as alerting security personnel in meatspace that a possible intrusion is underway.

2.6 - Symmetric entropy pools

Hack-proof encrypted comms… with a twist

Quantum processors used in cyberdecks for hacking and code-breaking can shred almost any known cryptography, given enough time; but they are not omnipotent. If you really, really need a secure communications channel, and are prepared to jump through hoops for it, there is something you can do.

Ancient cryptographers would sometimes use one-time pads to encode messages in a way that was nearly unbreakable. The 207x equivalent is a symmetric entropy pool. Two parties share a massive pool of carefully generated, thoroughly randomised data. The pool is used to encrypt all communications between them before they are sent via the public Matrix. The other party uses their matching copy of the pool to decrypt the message again. In theory, this cannot be decrypted by attackers, as it appears to be completely random noise.

Shared entropy pools come with some significant downsides, however:

  1. The entropy pool has to be kept absolutely secure and private, so the parties usually have to meet face to face to set the pool up, or the data has to be sent via eg. a trustworthy data courier.
  2. Physical access to one copy of a shared entropy pool for a few minutes is enough time to duplicate it. If you possess a copy of someone else’s pool, you can undetectably spy on their communications. This makes copies of established pools extremely high-value targets for espionage.
  3. Due to an interaction between the Roper-Eld quantum computational limit and the Shannon-Hartley theorem, the size of the entropy pool required to securely encrypt a channel increases with the square of the data being sent along it. This quickly becomes very difficult to manage if the intention is to use it for long-term communications. The pools have to regularly be recreated and re-copied between users.
  4. SEPs can be used for realtime audio or (at a push) video, but cannot support the data rates necessary for AR or VR traffic.

SEP hardware

Most users of entropy pools use specialised hardware to store and work with them. This is a credstick-sized device that plugs into a standard dataport on a commlink or cyberdeck. The commlink sends the encrypted data stream into the device, and decrypted data comes back. The main advantage of this is that when being used normally the entropy pool cannot be hacked even if you hack the commlink, as the commlink cannot read the pool directly.

However, by flicking a recessed switch, the device can be put into setup mode; this is designed to allow pools to be created, synchonised, and copied. Hence, with physical access to any device for a minute or two, an attacker can easily duplicate the pool.

2.7 - Other stuff

Smaller bits and pieces, plot devices, etc

Dark fibre

The backbone infrastructure is administered and patrolled by the Grid Overwatch Division, and is theoretically neutral between the megacorps. But the corps didn’t get rich by trusting each other. Where security demands it, it’s not unusual for corporations to run their own private communication lines - for example between a secure, hidden facility and a more public one. This lets the secure facility access the Matrix discreetly without making its location or purpose obvious. This is called dark fibre.

On the local mesh, dark fibre functions like a wormhole. If you can hack the controlling host on one end, you can coerce it to carry your traffic to the other, and suddenly you can “see” devices that could be dozens or even hundreds of kilometers away. Occasionally, wily shadowrunners use this as part of a smash-and-grab, using a forgotten dark fibre link to hack into a distant host that is too physically well-protected to get near in the physical world.


Tags are tiny, passive chips, with a small amount of ROM and minimal processing power. They use the ROM to store a small number of data, which can then be broadcast onto the matrix. They usually have no battery of their own, or only a very small backup battery; instead, they rely on wireless power transmission from nearby Matrix devices.

Tags cannot be hacked, as such, as they lack any processor to hack. They can be erased by a specialist tool that generates a powerful electromagnetic field, but it only has an effective range of a few centimetres, so you need to know where the tag is.

Tags are very common in my campaign, and have numerous uses:

  • Broadcasting a fixed AR holo - eg a billboard, signage, an animated menu outside a restaurant, or a piece of grafitti.

  • Local tracking of things - most goods that cost more than a few nuyen have tags included in the packaging. Warehouses and retailers can use these tags to track inventory and ring up your shopping bill.

  • Global tracking of things - tags can be configured to upload their location to a cloud server whenever they have a working Matrix connection. People use these as locators for any of their stuff they want to keep track of.

  • Theft prevention - a variation on the tracking idea, most expensive, durable, or legally restricted goods (definitely including vehicles, guns, and ammunition) are infested with multiple tracking tags. If the goods are noticed stolen, they can be swiftly tracked down via the locations being uploaded from the tags.

    Sneaky users might have tags on their items that do not broadcast their location all the time, but sit passive and undetectable until certain times or they receive an incoming signal; this makes it very difficult to know you’ve definitely wiped every tag off something you just stole. Items the characters purchase with from the black market LPs have already gone through this.

RF blocking paint

The local mesh relies on ultra-wide band signals that can barely penetrate walls at the best of times. So it doesn’t take much to block them almost entirely via smartpaints that use nanotech to assemble a crude Faraday cage as it dries. This prevents any decker outside the area from seeing in; icons for devices inside cannot be seen from the outside, and all hacking traffic is blocked.

Smartpaints are quite expensive, so tend to be reserved for only high-security areas within a facility. These are, of course, combined with physical security measures and access controls. Smartpaints are also wildly unpopular with workers, as they are inconveniently cut off from the outside world.


Personas are a special kind of icon used in VR to represent a human user. They are endlessly customisable, by creating custom 3d models and animations and/or by purchasing expensive digital goods from your favourite brands. Most of humanity is happy with a generic persona, perhaps with a small purchased accessory or two. But for some, particularly those who live in the matrix, persona customisation is an important part of how they express themselves. This is particularly common in decker circles.

People who have spent a lot of time or money customising their persona often want to show it off in AR as well as VR. They run special programs on their commlink that do a public broadcast of their persona as an animated ARO. A miniature version may float over their head or ride around on their shoulder. Some people go so far as to animate a life-size version of their persona and have it envelop their meatbod, effectively hiding them within it. This is very difficult to do well; often they will clip through the animated persona, ruining the effect.

2.8 - Comparing these houserules to Shadowrun 5e/6e RAW

A quick list of the simplifying assumptions I have made

These rules attempt to simplify the Shadowrun 5e Matrix rules by removing a number of options. For quick reference, some of the changes I have made include:

  • Streamline and merge the “AR / VR” and “in host / on grid” distinctions. Now, being “in” a host means always being in VR, and if you’re not in a host then you are in AR.
  • Split the Matrix into two parts; a localised, short-range, wireless mesh network and a global, wired network. Hacking is only viable on the former; the latter is ruthlessly protected by GOD agents. Thus, deckers need to be fairly close to their targets, so they can reach them via the local mesh.
  • Mostly remove the concepts of personas and their associated magic unhackable digital ownership.
  • Introduce a hard line between regular PANs (hosted on a commlink) and secure PANs (hosted on a cyberdeck or drone deck.)

Hacking & cybercombat

  • Distill all primary decker offensive actions to three kinds: hacking (stealthy, grants access to manipulate devices), cybercombat (overt, violent, crashes devices), and denial of service attacks (disrupts traffic to/from a device or PAN to impose distraction penalties on people using it.)
  • If a device is in a PAN or WAN, it cannot be hacked directly; the attacker must hack the PAN or WAN instead (this is in Shadowrun 6e, to be fair.)
  • If a device is in a WAN, and the decker can get physical access to its internal debug ports, they can compromise it and get a big bonus to hacking the WAN host through it. Hence corps rarely put easily-accessed external devices like maglocks and cameras on WANs; instead, WANs are reserved for stuff like security guard gear and internal turrets and sensors.
  • Secure PANs cannot be hacked; they must be crashed in cybercombat.
  • Via a program on their cyberdeck, hackers who have infiltrated a host (in VR) can switch to AR (to move with the team) but maintain a connection to the host and still send hacking commands to devices attached to it. However, the persona they leave running in the host is more vulnerable to ICE.

Wireless off / running silent / Matrix stealth

  • Wireless devices are always visible on the Matrix - no running silent, and devices connected to PANs or WANs don’t disappear from view on the local mesh.
  • s-PANs (and only s-PANs) can be configured to hide themselves on the Matrix; they minimise traffic between their devices, cutting back to just text/voice comms. All devices are otherwise inactive and no game mechanical bonuses can be derived from them as long as the s-PAN stays in stealth mode. This is an active process that must be maintained by the decker/rigger running the s-PAN.

3 - Tweaking Shadowrun's tech level

Trying to maximise the ‘cyberpunk feel’ by reducing technological sophistication

I have several slightly opposing goals for how I want my Shadowrun setting to feel, at least in terms of the sophistication of technology.

  • I desire a “classic cyberpunk” feel that is roughly aligned with Shadowrun 2e and the foundational works of cyberpunk fiction from the ’90s.

  • But at the same time, I think the cyberpunk genre derives a lot of its power from feeling like it is near-future – and not retro-future or far-future. Character’s problems and the shape of the world they inhabit should feel recognisable to us.

    So I also want the world to reflect 20+ years of real-world technological advancement that has occurred in the last thirty years. ShR5e and 6e do this, most notably in the form of the wireless Matrix and all that goes with it.

  • However, I do not want technology to be too advanced. I do not want my game to start to feel more like general sci-fi. ShR 5e and 6e definitely do this, to my mind.

  • I don’t want to stuff to work too well. Cyberpunk tech (or at least, the tech within monetary reach of our players) should be like real-world tech: buggy, flawed, unreliable, sometimes frustrating. I don’t want it to have this high-tech sheen where everything works and nothing has any downsides.

Hence: I want to somehow find a way to blend these different approaches. This document attempts to do that for some aspects.

The changes/tweaks I have proposed are more about aesthetics than they are about rules. Nothing here is changed for game balance reasons, and mostly they don’t result in any mechanical changes at all. It’s just about how the fictional world looks, works, and feels.

Tech to remove completely

  • Antigravity - I mean, c’mon.
  • Practical energy weapons - you can make a laser cannon, but you can’t power it from any sort of man-portable (or even troll-portable) energy cell.

Limiting augmented reality

Reasoning: sophisticated near-ubiquitous AR has the ability to transform the world beyond recognition. Road sights, billboards, car licence plates would be no more. Home appliances would have no buttons or other physical interface. Computer keyboards would cease to exist. This is too big a shift for me.

Datajacks / DNI cannot be used for AR. AR requires realtime integration of synthetic content into your normal senses, whereas simsense replaces your normal senses entirely. In order to add digital content to your sensorium, your sensorium first has to be digitised.

This means there are two ways to get AR features: cyberware or gear.

  • For visual elements: either cybereyes, or wearing glasses/goggles/a monocle, or using your commlink. The glasses literally overlay your visual field with the AR elements, which avoids a lot of the complex overhead necessary in a cybernetic approach. As a last resort, you can even use caveman methods - hold your commlink up and move it around, using its screen as a viewport onto AR cyberspace. This has a cost advantage; even the cheapest ‘link can do this, and with no additional hardware.
  • For auditory elements: either cyberears or wearing earbuds.
  • For tactile elements: either cyberarms/hands or wearing special force-feedback gloves. The gloves are quite crude in terms of the “realness” of the feedback they offer.

Without tactile elements, AR control surfaces are downright clumsy to use. Touch targets have to be rendered large enough that the user can use them, and even so, prolonged use is frustrating as mis-taps are just frequent enough to annoy you.

Resolution and focus of AR elements is limited when using glasses/goggles. Reading large amounts of text for long periods is likely to cause nasty migraines.

Combined, these mean that society does not run on AR, because AR has not reached a big enough critical mass so that it can entirely replace other display methods. Street signs still exist. Most restaurants still have signs on the door (except for the occasional hipster speakeasy trying to create some mystique.) Keyboards still exist, as do monitors and TV screens.

AR is more about how you interact with your gear than it is about how the world presents itself to you.

Limiting virtual reality

Reasoning: cyberpunk has armies of wageslaves crammed on commuter trains travelling to vast open-plan offices of beige cubicles and flickering neon lights. Why, if VR is so good? Why don’t people stay home and jack into remote hosts instead? Their employers can still watch their every move.

  • Simsense requires an extremely high-bandwidth, low-latency connection between the brain and the device encoding the simsense signal. This requires a wired connection. Therefore, a decker must be physically connected to their cyberdeck, although the ‘deck can be wirelessly connected to the rest of the world.

  • Normal people find it profoundly uncomfortable to be in VR for a prolonged period of time in public areas. The sense of disconnect from your body provokes deep unease and vulnerability. This ruins productivity.

    In the workplace, VR is therefore mostly reserved for:

    • Elite knowledge workers, deckers, scientists, architects, and the like. These people get private offices.
    • Occasional use by wageslaves for eg. telepresence in remote meetings. In short bursts, people are generally fine with it.

Clarifying VR vs AR

Reasoning: this is just to try and clean up the profusion of overlapping interface modes and Matrix stuff that Shadowrun offers.

You are in VR (ie: full simsense, body in ragdoll RAS-override mode) when you are in a host system. All Matrix actions done not in a host are done in AR. The action of entering a host and the action of switching to VR are the same action.

AR hacking is not necessarily done entirely through the datajack’s neural interface (see the next section); many hackers use either physical or AR keyboards and other control surfaces in combination with mental commands.

All VR is “hotsim” and hence has the capability for weaponised software to harm the meatware experiencing it.

DNI is not telepathy

Reasoning: taken to the extreme, DNI starts to feel a bit too sci-fi for me.

Reminder of terms: DNI is Direct Neural Interface, a brain-computer link. RAS is Reticular-Activation System; a RAS override cuts all normal sensory input and muscle control output from the brain. It is most commonly used for simsense VR.

Most DNI can only be achieved via a datajack or trodes. Trodes are very finicky to use; in order to work they have to remain fixed in place on the head. Any rapid movement or jostling threatens to dislodge them. They are not the preferred choice.

As a special case, a smartgun link also achieves a form of DNI via the special connection between the user’s palm and the gun’s onboard processor (see elsewhere in this doc.)

DNI means the user can send commands to their gear by thinking them, but this is a complex process for the hardware involved. Datajacks and trodes find it difficult to clearly read brain activity from a subject who is not in RAS override. The brain stimulation from the subject’s normal senses risks drowning out the brainwave patterns that the hardware needs to interpret as commands.

In practice this means the user must construct quite deliberate, clear thoughts for the interface to read them. DNI controls tend to be simple, eg. on/off switches and “select a setting from 1-10” dials. Composing text via DNI requires the user to think in a clear inner monologue, and can only go at around the same speed as speech. Issuing commands (eg to a smartgun to fire) similarly needs mental effort, and for that reason many smartgun owners prefer to continue to use a physical trigger.

Engaging RAS override (eg when in VR) cuts off the user’s normal senses and muscle control and solves this issue immediately. From the perspective of the datajack, it is like all the background noise of the brain shuts off at once, leaving a much clearer signal for it to listen for. This is how simsense can work so well.

Wireless Matrix interfaces on gear

Reasoning: I think Shadowrun 5e’s wireless gear bonuses and subsequent hacking is immersion-breakingly stupid, and I wish to hurl it into the sun.

Domestic / civilian gear like home appliances are completely controllable from the wireless Matrix. This allows smart home control, AR control surfaces, remote monitoring, etc. It also makes these devices controllable to anyone who hacks them.

For obvious reasons, items like weapons and cyberware are not built like this.

While they may offer Matrix control surfaces, these are strictly for secondary control and user interface only. The device’s primary functions are all controlled via other means.

For example: a cyberarm’s primary control method is the nerve splice between the cybernetic component and the user’s body. This is how the user issues all normal “commands”, ie. moving it around, picking stuff up, deploying cyberclaws, etc.

All except the cheapest models of arm might also offer a secondary Matrix interface. This is used by the arm to present information to the user that cannot be communicated via a nerve splice, such as diagnostics, service requests, user manuals, and the like. If the arm has functions that are too complex to be mapped onto the nervous control, such as a colour-changing surface coating, they may be controlled here via an AR interface panel.

Crucially: hacking attacks over the wireless Matrix can only effect the secondary interfaces and cannot bypass the device’s internal hardware firewall. A hacker cannot shut down or take over someone’s arm, or eyes, or any other cyberware. They cannot remotely detonate a grenade or remotely eject a weapon’s magazine.

Smartguns use a subdermal induction pad mounted in the user’s palm and the gun’s handle to establish an ultra short range private wireless connection that is used for the primary control surface (eg. cybernetic commands to eject magazines, switch firemodes, etc.) Again, a hacked smartgun cannot be instructed to fire, or not fire, or eject its magazine at an inopportune moment.

Drone brains

Reasoning: cyberpunk still has lots and lots of low-paid, unskilled labour. There are warehouse workers, dock hands, construction workers, shop clerks, pizza delivery drivers. They have not been replaced en masse by machines.

  • General purpose drone automation is limited by the lack of (controllable) general AI. Drones are heavily used in fields such as construction, manufacturing, and other heavy industry; but they are under close supervision at all times, as the dog-brain will frequently get into unexpected states and freeze.
  • As a special case, GridGuide empowers self-driving cars in urban areas by providing a mesh network that drones can use to co-ordinate between themselves. This does a lot to keep the dog-brains within their normal operating parameters. Outside of a GridGuide connection, self-driving cars can handle good conditions, but are easily confused by inclement weather, traffic, and so forth. This manifests as the car either parking itself or bleeping and requiring manual intervention from the passengers.
  • Delivery drones are highly vulnerable to hacking and physical attacks, followed by being looted for their parts and cargo. Companies are reluctant to use drones for automated delivery because of this. The cost-benefit is marginal at best, and favours human deliveries in the middling-to-bad neighbourhoods.


Reasoning: full-on nanotech, especially nanoware and nanoforges, pushes the tech level further than I am comfortable with.

Nanotech is in its infancy. It can do two things well:

  1. Very simple tasks in complex environments. An example of this is cyberware implantation, where nanobots carry out minimally-intrusive installation of subdermal wiring and splicing of technology onto nerve shunts. Viewed from a nanotech scale, these are relatively large pieces of engineering.
  2. Complex tasks in very simple environments. An example of this is orbital factories that produce nanosteel, aerogels, exotic carbon matrices, and other materials in hard vacuum / microgravity conditions. These nanobots cannot be used on Earth, as they cannot deal with any environmental complications while nudging carbon atoms accurately into place inside a molecular iron lattice.

Most nanomaterials cannot be constructed on Earth. Nanobots cannot achieve precision tasks inside the complex environment of the human body; nanoware does not exist. Nanobots are expensive to produce and are totally tailored to one very narrow task; there are no “general purpose” or programmable nanobots. Desktop nanoforges are not a thing.

(NB: “nanotech” is a misnomer. The ‘bots that carry out the procedures are built on the scale of hundreds of nanometers and operate on material on a scale of, at best, tens-of-nanometers.)