This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

The (Wireless) Matrix

How the wireless Matrix works, from an in-game perspective

1 - Overview of what is possible with these rules

Game scenarios these rules attempt to capture

Deckers can use their cyberdeck in augmented reality mode to wirelessly connect to nearby devices: cameras, maglocks, other people’s commlinks and smartguns… They can exploit these connections to hack the device and sublety manipulate them: stealing data, listening to phone calls, looping camera feeds, opening doors. Or they can abandon subtlety and switch to cybercombat: crashing devices, flooding them with bad data and 0-day vulnerabilities until they are knocked offline entirely.

People can defend against deckers in a few ways. The simplest method is to form a private network controlled by your commlink. A network groups all their gear behind the controller, then establishes it as the beachhead connection to the rest of the matrix. Now, in order to hack the devices in a network, the decker first has to hack the network itself. It’s not a lot of extra protection (unless they have a really expensive commlink), but it’s something.

Deckers and riggers can form more powerful networks using their cyberdeck or dronedeck as as controller. These are harder to hack, as these devices are much more powerful than any commlink – and even if you do hack into them, the decker or rigger might notice.

Corp wageslaves working in a facility often use a network controlled by a powerful host. This provides a lot more protection. To hack devices on a host-controlled network, the decker first of all has to hack the host; that involves a trip into VR, leaving their meatbod behind as a floppy, vulnerable shell.

Hosts are also where corps keep their juicy (and valuable!) secrets, so deckers naturally gravitate to attacking them. Those secrets are guarded by ICE and by counter-decker security staff called spiders, so it won’t be easy. Hosts can be hacked via wireless connections if the decker can get within connection range, but it’s better to find a convenient device the host trusts and use it to establish a back door via a wired connection to its inner workings.

With wireless connectivity, deckers also loom large on the modern battlefield. They can host and defend tacnets, realtime AR overlays for members of their team that allow them to share tactical information. When the situation calls for stealth, they can reconfigure their network to hide on the Matrix, disguising dataflow between the devices to look innocuous. And finally, they can make powerful DoS Attacks against opponents, overloading their electronic gear with junk data to inhibit its functionality.

2 - Making the Matrix

What the Matrix is made of: the backbone and the local mesh; hosts and other icons

The third-generation Matrix of the 2070s is a technological marvel, delivering immersive AR and VR applications to users without the need for wires. But how does it manage such fast connections without requiring the user to physically connect a cable? The answer comes in two parts.

The backbone

The first part is the global grid, also known colloquially as the backbone. This is broadly equivalent to what was known in the early 21st century as “the cloud”; it’s the sum of all the physical infrastructure of fibre trunks, satellite uplinks, and other super-speed connections that connect all the Matrix’s hosts together. Within the backbone, speed is functionally infinite, and distance is no issue. But you can only use the backbone if you have a physical, wired connection to it. Nobody wants that.

Early 21st century cellular wireless standards are no help. The Matrix demands very fast high-frequency ultra-wideband radios, but they are easily blocked by the gleaming steel-and-glass towers of the sprawl. You’d never get a signal. How to square this circle?

The local mesh

The answer is a short range, peer-to-peer mesh network. Suppose Alice wants to check the latest updates on her P2.1 social feed. Her commlink sends the request to her neighbour Bob’s commlink. From there, it’s forwarded to Charlie’s commlink. And so it travels, until it reaches an uplink host - which has a hardline connection to the backbone. From there, it can speed off to its final destination. The P2.1 host sees the request, and sends the response back down the same link. This all happens in the blink of an eye.

Every Matrix device automatically self-organises itself into a reliable mesh network, and sets up forwarding and routing so that everything transparently works. This is the local mesh. At all times, your Matrix devices exist in a bubble, extending perhaps a hundred meters around you. Somewhere in that bubble is your closest uplink host, the one you will send backbone traffic to. But where is your traffic going? Well, for most people, it’s usually a host.


Hosts come in a few major types, depending on what kind of connection they have.

First, there are the aforementioned uplink hosts, sometimes called beanstalks. These bridge between the backbone and the local mesh, a bit like an old-time cell tower. People don’t really think about them too much; like any piece of reliable infrastructure, they fade into the background. But they’re there, scattered around the sprawl.

The most common type people interact with in their personal lives are cloud hosts. These are hosts made up of many physical servers distributed around the planet, all with their own connection to the backbone. They exist everywhere and nowhere at once. Cloud hosts are very powerful and very secure.

However, you can’t use cloud hosts for everything. When Wally Wageslave sits working in his office like a good little drone, that office’s various systems - heat, light, power, security, Wally’s files and emails - are all run by a host located inside the building. These local hosts work exclusively on the local mesh, without a backbone connection. Local hosts have one defined place of existence; somewhere, there’s some computers in a rack you can point to and say “this is the host for this building.”

Some of the more prominent and successful hacker collectives might run illicit local hosts, sometimes called dark hosts as they (for obvious reasons) do not advertise their existence like most legal hosts do.

Offline hosts are computers that are totally air-gapped, with no connection to the local mesh or the backbone. The only way to connect to them is directly via a cable. Offline hosts are often used for very important, secret file storage, and are placed in locations that are very physically secure.

But how do you actually get stuff done on the Matrix? Well, you interact with icons.


Everything on the Matrix is represented by an icon. Icons can look like anything; cartoonish symbols, abstract runes, photorealistic 3d images; anything (although most sane Matrix designers use icons that at least vaguely resemble what they are used for). Icons can represent one of a few different types of thing:

  • Tags: tiny little passive chips. They have no batteries or computing power of their own; they are powered by wireless power gathered from the Matrix. They typically hold and/or broadcast some number of files. They cannot be hacked, as such, as they lack any processor of their own. See Tags for more.
  • Files: any type of data (text, audio, video, computer code, …), stored on any type of medium (in a tag, on a commlink, in a host, on a storage chip, …).
  • Devices: toasters, cars, door locks, speakers, microwaves, etc etc etc. In the Sixth World, near enough everything that has electrons flowing through it also has a functioning Matrix connection of its very own. Devices can be directly connected to the matrix (unattended) or protected inside a network run by a commlink, ‘deck, or host.
    • Commlinks: special devices that people use to see and interact with the Matrix.
    • Cyberdecks: souped-up commlinks that can be used to bend the rules of the Matrix by hackers and counter-hackers. There’s also drone decks, which are similar but specialised and used to remotely control drones.
  • Hosts: as mentioned above, these are the “servers” of the Matrix; big computer systems you can go into and do stuff within. So the social network P2.1 has a host that you go into to read your friends’ updates, post messages, play games with them; that sort of thing.
    • Some hosts are so big that internally they are sub-divided into zones called nodes.

3 - Matrix icons

How things look in the Matrix

When you view the world in AR, your commlink or cyberdeck can overlay icons for any (and all) nearby matrix devices onto your vision. This is rather overwhelming - in an urban area, the local mesh can contain thousands of icons. So most people run filtering routines that hide most of them and only show ones deemed important. For example, in a crowded street, you might only show icons for commlinks for people you know, and hide the rest.

The mesh networking routing protocols that keep the wireless matrix working tracks the approximate position and motion of all these devices, so it can predict when devices are about to go out of range of each other and have fallback routes prepared to keep traffic flowing. AR leverages this information to position icons in the user’s sensorium in vaguely the correct place, relative to where the device is.

When the user has line-of-sight to the device, this positioning is quite accurate; glance at a coffee machine in AR and you’ll see its glowing matrix icon hovering just over it. When there’s no line of sight, position accuracy drifts randomly, often by a few metres. If you are in a shopping mall and your friend is in the store a few doors down from you, you’ll see an icon for their commlink, but it’ll appear vague and fuzzed-out so you know it’s only an approximate position.

When using VR inside a host, there is no need to make things correspond to meatspace. Icon positioning is arbitrary and governed by the sculpting of the host. Some hosts look like glowing neon wireframes, with icons clustered across an infinite 2d plane. Others are painstakingly rendered 3d environments with icons grouped logically and scattered across rooms or areas. The possibilities are limitless.

Types of icon

  • Tags: tiny, passive chips; see Tags.
  • Files: any type of data (text, audio, video, computer code, …), stored on any type of medium (in a tag, on a commlink, in a host, on a storage chipdrive, …).
  • Devices: toasters, cars, door locks, speakers, cameras, drones, microwaves, etc etc etc. In the Sixth World, near enough everything that has electrons flowing through it also has a functioning Matrix connection of its very own.
    • Commlinks: special devices that people use to see and interact with the Matrix.
    • Cyberdecks: souped-up commlinks that can be used to bend the rules of the Matrix by hackers and counter-hackers. There are also drone decks, specialised variants used by riggers to control drone networks.
  • Hosts: the “servers” of the Matrix; big computer systems you can go into in VR and do stuff within. Some hosts are so big that internally they are sub-divided into zones called nodes.
    • Inside hosts, you can see (lots of!) icons for files and connected devices.
    • Hosts also contain personas, which are VR icons representing people using the host. Personas can be very simple and generic, or highly customised and tailored to the person they represent. See Personas.
    • Hosts also contain ICE, intrusion countermeasure electronics. These are autonomous software agents that form the first line of defence against hostile deckers.

4 - The augmented everyday

How augmented reality works and feels

Interface issues: augmented reality is not telepathy

When a user is in VR, their body’s nervous system is partially shut down by a RAS override. One of the effects of this is that by blocking sensory input to the brain from the user’s body, it makes it much easier for their datajack to read their conscious and sub-conscious impulses. This, in turn, creates a really efficient control surface; the user can send instructions as fast as they can think.

AR doesn’t work like that, as it has no RAS override. The datajack has to try and pick out the impulses amongst a storm of unrelated sensory processing. For this reason, most control of devices via AR is done indirectly through holos (see below) instead of direct brain-computer interfacing as is typical in VR.

One area where AR can directly read thoughts quite successfully is via a sort of text-to-speech service. As long as the user deliberately and clearly forms words in their mind, their inner monologue can be picked up by the datajack and sent to a commlink or other device. This is often used for text messaging or sending very simple commands, eg. to turn a smart device on/off or fire a smartgun. Compared to doing stuff in VR, it’s glacially slow, though - only about the same speed as talking, perhaps a bit faster if the user has had a lot of practice.


For anything more complex than a on/off switch, the primary type of interface in AR is an Augmented Reality Object (ARO) - often called “arrows” or “holos” in everyday language.

For a user with a datajack, holos are inserted directly into their sensorium. They typically appear as semi-translucent neon glowing screens and buttons, floating in space (hence the name “holo”.) They can have sound elements, and usually have tactile elements too - holographic buttons and controls feel real when the user touches and presses them.

Holos can be private, viewable only by one person; this is typical for someone using their commlink via AR. They can be public, viewable by anyone; this is typical for advertising hoardings and billboards. Or they can be semi-private, shared with a selected group of people.

Working life

Perhaps surprisingly, a lot of work still happens in meatspace, with physical displays and interfaces.

The early promise of VR as an accelerator for productivity never emerged, for a variety of reasons. Firstly, using VR for extended periods of time is exhausting, both mentally and physically - it’s like running full-throttle for hours and hours. Few people can maintain the pace. Secondly, the sensation of being cut off from your body when it is in a public place is quite disconcerting to most people, and they find themselves constantly distracted by worrying about their meat. So outside of a small handful of elites working from private offices, most wageslaves only dip into VR occasionally for remote meetings and the like.

AR is more commonly used, but that also has limitations. For one thing, it’s not all that much faster to use than an old-fashioned screen and keyboard. And for another, using holos for detailed work like reading lots of text or running complex simulations often cause troublesome headaches or eyestrain if used for very long periods. So the typical wageslave bounces back and forth, dipping into AR screens while on the move, but falling back to large screens at their desks.

AR and VR without datajacks

Users who do not want or cannot afford datajacks can still get online, but with some big caveats.

VR can only be achieved with a clumsy ‘trode net worn around the head. Sensory fidelity is reduced, compared to a datajack, and speed is reduced. Worst of all, the trodes have to be placed in the right spots, and are easily dislodged if the user moves around while wearing them.

Users can get an AR overlay with a variety of sense link devices: smart contacts, glasses or goggles for visual, earbuds for audio, and feedback gloves for tactile elements. As with ‘trodes, these are clumsy and inferior to datajack interfaces, but they are usable. Civilian versions of these devices are mostly fairly delicate and easily damaged by rough handling in combat. Ruggedised versions exist, but are bulky and obvious.

5 - Hacking the Matrix

Bending the Matrix to your will

The end of encryption

The incorporation of early quantum processors into the first cyberdecks sent an earthquake through the tech world from which it never recovered. Even the strongest, best designed encryption of the day fell before it in fractions of a second. There could be no more secrets.

Today, things have improved only slightly; the most advanced encryption in the world still cannot hold up to sustained assault from a skilled hacker with high-end cyberdeck.

This single innovation has reshaped the world.

Rise of the spiders

Faced with the total loss of passive defence - ie. strong encryption of data - the megacorps had to pivot to active defence.

First, they built high walls around their kingdoms. Some of the most sophisticated pseudo-AI on the planet exists to run ICE: Intrusion Countermeasure Electronics. ICE patrols and defends the megacorp’s hosts tirelessly, rooting out invading hackers and - sometimes - frying their brains.

But ICE isn’t all-powerful, so the corps also set people to guard those walls. These counter-hackers, called spiders in the language of the street, sit in the middle of sprawling webs of sensors and alarms. Attract their attention, and they are swiftly dispatched to deal with you. And they are good, with all the equipment and training of their deep-pocketed masters.

The Grid Overwatch Division (GOD)

Each megacorp can hire its own security staff to patrol its own hosts, but that leaves the backbone itself vulnerable to attacks. It’s too important to leave undefended, so the Corporate Court formed the Grid Overwatch Division (GOD). GOD is a semi-autonomous organisation, tasked with defending public grid infrastructure, staffed by spiders and technicians loaned from the AA and AAA megacorps.

How to hack

Sending hacking traffic over the backbone is near-impossible. The uplink nodes are equipped with powerful coprocessors that carry out deep packet inspection, scanning for anything out of the ordinary. At the first sign of trouble, aggressive autonomous agents are deployed, rapidly followed by elite GOD spiders.

It is on the local mesh where the deckers can bring their powers to bear. Hampered by the need to maintain backwards compatibility with millions of devices that have fallen into planned obsolescence, and with even small changes to the protocols requiring dozens of squabbling corps to agree, the local mesh is… well, it’s a mess. Deckers exploit this ruthlessly, using vast databases of known vulnerabilities to carve through the laughable defences that devices rely on.

There is an obvious problem, though - the local mesh is small, typically extending only 50-100 metres. With the wireless matrix, Deckers need to get close to their targets. They can no longer sit in the safety of armoured bunkers, hundreds of miles from danger.

What to hack

Any device that is attached directly to the matrix is considered to be unattended. Civilian and even security grade unattended devices have very weak defences against hacking.

Most ordinary people will arrange all of their various matrix gadgets into a personal area network (PAN.) A PAN is controlled and monitored by their commlink, which routes all matrix traffic through itself. Devices in a PAN cannot be hacked individually; instead, the decker must hack the commlink instead. PANs are a little bit more difficult to hack than an unattended device, but the main benefit is that if the commlink notices the hack attempt it can alert the owner at once. They can then take action, such as shutting down their devices.

The corporate grown-up version of a PAN is a wide area network, or WAN. WANs are very similar but instead of a commlink they are controlled and monitored by a host. As with a PAN, you cannot hack individual devices in a WAN; you have to enter VR and hack the host directly. If you can get a direct cabled connection to a device that is part of the WAN, you can exploit that to more easily hack the host. For this reason, corps tend not to put easily-accessed exterior building defences like cameras or maglocks on their primary security WANs.

Finally, there are also secure PANs, or s-PANs. S-PANs are PANs that are run from a cyberdeck or drone deck and are being actively monitored by a decker or rigger. S-PANs cannot be hacked at all, as their admin will swiftly notice any hack attempts and take defensive action. They can only be knocked offline via cybercombat.


The local mesh protocols specify that all devices monitor all the traffic they can see to scan for hack attempts. This isn’t hard to avoid in the short term, but as a decker carries out more and more hacks using the local mesh against devices and PANs, it gradually becomes more and more difficult to hide. Once it reaches a critical level, GOD will deploy autonomous agents to hunt the decker down; if they are unsuccessful, a GOD spider will reinforce them. A skilled decker relies on speed and stealth to achieve their goals before this happens.

Hosts maintain their own alarm state, separate from the local mesh one as they are outside of GOD’s jurisdiction. They react to alarms by deploying ICE and security counter-hackers, as well as alerting security personnel in meatspace that a possible intrusion is underway.

6 - Symmetric entropy pools

Hack-proof encrypted comms… with a twist

Quantum processors used in cyberdecks for hacking and code-breaking can shred almost any known cryptography, given enough time; but they are not omnipotent. If you really, really need a secure communications channel, and are prepared to jump through hoops for it, there is something you can do.

Ancient cryptographers would sometimes use one-time pads to encode messages in a way that was nearly unbreakable. The 207x equivalent is a symmetric entropy pool. Two parties share a massive pool of carefully generated, thoroughly randomised data. The pool is used to encrypt all communications between them before they are sent via the public Matrix. The other party uses their matching copy of the pool to decrypt the message again. In theory, this cannot be decrypted by attackers, as it appears to be completely random noise.

Shared entropy pools come with some significant downsides, however:

  1. The entropy pool has to be kept absolutely secure and private, so the parties usually have to meet face to face to set the pool up, or the data has to be sent via eg. a trustworthy data courier.
  2. Physical access to one copy of a shared entropy pool for a few minutes is enough time to duplicate it. If you possess a copy of someone else’s pool, you can undetectably spy on their communications. This makes copies of established pools extremely high-value targets for espionage.
  3. Due to an interaction between the Roper-Eld quantum computational limit and the Shannon-Hartley theorem, the size of the entropy pool required to securely encrypt a channel increases with the square of the data being sent along it. This quickly becomes very difficult to manage if the intention is to use it for long-term communications. The pools have to regularly be recreated and re-copied between users.
  4. SEPs can be used for realtime audio or (at a push) video, but cannot support the data rates necessary for AR or VR traffic.

SEP hardware

Most users of entropy pools use specialised hardware to store and work with them. This is a credstick-sized device that plugs into a standard dataport on a commlink or cyberdeck. The commlink sends the encrypted data stream into the device, and decrypted data comes back. The main advantage of this is that when being used normally the entropy pool cannot be hacked even if you hack the commlink, as the commlink cannot read the pool directly.

However, by flicking a recessed switch, the device can be put into setup mode; this is designed to allow pools to be created, synchonised, and copied. Hence, with physical access to any device for a minute or two, an attacker can easily duplicate the pool.

7 - Other stuff

Smaller bits and pieces, plot devices, etc

Dark fibre

The backbone infrastructure is administered and patrolled by the Grid Overwatch Division, and is theoretically neutral between the megacorps. But the corps didn’t get rich by trusting each other. Where security demands it, it’s not unusual for corporations to run their own private communication lines - for example between a secure, hidden facility and a more public one. This lets the secure facility access the Matrix discreetly without making its location or purpose obvious. This is called dark fibre.

On the local mesh, dark fibre functions like a wormhole. If you can hack the controlling host on one end, you can coerce it to carry your traffic to the other, and suddenly you can “see” devices that could be dozens or even hundreds of kilometers away. Occasionally, wily shadowrunners use this as part of a smash-and-grab, using a forgotten dark fibre link to hack into a distant host that is too physically well-protected to get near in the physical world.


Tags are tiny, passive chips, with a small amount of ROM and minimal processing power. They use the ROM to store a small number of data, which can then be broadcast onto the matrix. They usually have no battery of their own, or only a very small backup battery; instead, they rely on wireless power transmission from nearby Matrix devices.

Tags cannot be hacked, as such, as they lack any processor to hack. They can be erased by a specialist tool that generates a powerful electromagnetic field, but it only has an effective range of a few centimetres, so you need to know where the tag is.

Tags are very common in my campaign, and have numerous uses:

  • Broadcasting a fixed AR holo - eg a billboard, signage, an animated menu outside a restaurant, or a piece of grafitti.

  • Local tracking of things - most goods that cost more than a few nuyen have tags included in the packaging. Warehouses and retailers can use these tags to track inventory and ring up your shopping bill.

  • Global tracking of things - tags can be configured to upload their location to a cloud server whenever they have a working Matrix connection. People use these as locators for any of their stuff they want to keep track of.

  • Theft prevention - a variation on the tracking idea, most expensive, durable, or legally restricted goods (definitely including vehicles, guns, and ammunition) are infested with multiple tracking tags. If the goods are noticed stolen, they can be swiftly tracked down via the locations being uploaded from the tags.

    Sneaky users might have tags on their items that do not broadcast their location all the time, but sit passive and undetectable until certain times or they receive an incoming signal; this makes it very difficult to know you’ve definitely wiped every tag off something you just stole. Items the characters purchase with from the black market LPs have already gone through this.

RF blocking paint

The local mesh relies on ultra-wide band signals that can barely penetrate walls at the best of times. So it doesn’t take much to block them almost entirely via smartpaints that use nanotech to assemble a crude Faraday cage as it dries. This prevents any decker outside the area from seeing in; icons for devices inside cannot be seen from the outside, and all hacking traffic is blocked.

Smartpaints are quite expensive, so tend to be reserved for only high-security areas within a facility. These are, of course, combined with physical security measures and access controls. Smartpaints are also wildly unpopular with workers, as they are inconveniently cut off from the outside world.


Personas are a special kind of icon used in VR to represent a human user. They are endlessly customisable, by creating custom 3d models and animations and/or by purchasing expensive digital goods from your favourite brands. Most of humanity is happy with a generic persona, perhaps with a small purchased accessory or two. But for some, particularly those who live in the matrix, persona customisation is an important part of how they express themselves. This is particularly common in decker circles.

People who have spent a lot of time or money customising their persona often want to show it off in AR as well as VR. They run special programs on their commlink that do a public broadcast of their persona as an animated ARO. A miniature version may float over their head or ride around on their shoulder. Some people go so far as to animate a life-size version of their persona and have it envelop their meatbod, effectively hiding them within it. This is very difficult to do well; often they will clip through the animated persona, ruining the effect.

8 - Comparing these houserules to Shadowrun 5e/6e RAW

A quick list of the simplifying assumptions I have made

These rules attempt to simplify the Shadowrun 5e Matrix rules by removing a number of options. For quick reference, some of the changes I have made include:

  • Streamline and merge the “AR / VR” and “in host / on grid” distinctions. Now, being “in” a host means always being in VR, and if you’re not in a host then you are in AR.
  • Split the Matrix into two parts; a localised, short-range, wireless mesh network and a global, wired network. Hacking is only viable on the former; the latter is ruthlessly protected by GOD agents. Thus, deckers need to be fairly close to their targets, so they can reach them via the local mesh.
  • Mostly remove the concepts of personas and their associated magic unhackable digital ownership.
  • Introduce a hard line between regular PANs (hosted on a commlink) and secure PANs (hosted on a cyberdeck or drone deck.)

Hacking & cybercombat

  • Distill all primary decker offensive actions to three kinds: hacking (stealthy, grants access to manipulate devices), cybercombat (overt, violent, crashes devices), and denial of service attacks (disrupts traffic to/from a device or PAN to impose distraction penalties on people using it.)
  • If a device is in a PAN or WAN, it cannot be hacked directly; the attacker must hack the PAN or WAN instead (this is in Shadowrun 6e, to be fair.)
  • If a device is in a WAN, and the decker can get physical access to its internal debug ports, they can compromise it and get a big bonus to hacking the WAN host through it. Hence corps rarely put easily-accessed external devices like maglocks and cameras on WANs; instead, WANs are reserved for stuff like security guard gear and internal turrets and sensors.
  • Secure PANs cannot be hacked; they must be crashed in cybercombat.
  • Via a program on their cyberdeck, hackers who have infiltrated a host (in VR) can switch to AR (to move with the team) but maintain a connection to the host and still send hacking commands to devices attached to it. However, the persona they leave running in the host is more vulnerable to ICE.

Wireless off / running silent / Matrix stealth

  • Wireless devices are always visible on the Matrix - no running silent, and devices connected to PANs or WANs don’t disappear from view on the local mesh.
  • s-PANs (and only s-PANs) can be configured to hide themselves on the Matrix; they minimise traffic between their devices, cutting back to just text/voice comms. All devices are otherwise inactive and no game mechanical bonuses can be derived from them as long as the s-PAN stays in stealth mode. This is an active process that must be maintained by the decker/rigger running the s-PAN.