Running OnionCat Services in a Highly Secure Environment

Running services within dark nets requires a lot of caution and carefulness. If the services are not configured correctly they might leak information and reveal their real location or operator. This of course is also applicable to a service based on OnionCat.

This article explains how to run an OnionCat-based service in a highly secure environment encapsulated within a virtual machine. I assume that the reader is familiar with basic network concepts, such as IP addressing, switching, and routing.

Modes of Operation

Basically there are two modes that OC may be operated in. The “regular” mode in which it runs in parallel to all other services on a server like for example an OpenVPN client. This is recommended for OC network clients and users because it is more or less plug-n-play and doesn’t require any expert knowledge. The second mode is running OC as a network gateway for a system which exists solely within the OC network.

Configuring OC as a network gateway is an extremely secure solution for running services but it is rather complex to configure it. But don’t be afraid! Once you understood it you’ll see that there’s a simple concept behind. I will now explain how this works. The picture on the right shows the basic idea. In the middle you see a system within the OC network. It is completely separated from all other networks (such as the Internet). Below there is the network gateway. It runs Tor (and/or I2P) and OnionCat. On the left hand there is a “regular” OC client which accesses a service on the isolated system through the Tor and OC network.


Now let’s explain how to configure this. We need any virtualization technology. In this example I use XEN for explanation but it works with other technologies as well, such as KVM, VMware, VirtualBox, or similar ones.

To configure this scenario we need two guest systems. Install any Linux or whatever Un*x on them. One acts as the network gateway. Let’s call it Charlie. The other one is the isolated system. I call it Isola. The essential part of this setup is the network configuration. The picture on the left shows the network configuration diagram. The gray boxes are standalone systems. On the left Dom0 of XEN, on the upper right Charlie and below Isola. The green boxes are network adapters and the red bars show network bridges. XEN networking is running in bridging mode. Thus, the physical network card is renamed to peth0 (which usually is eth0 on Linux) and the logical interface for Dom0 is called eth0. This type of configuration is activated by the network-bridge script within /etc/xen/xend-config.sxp. All XEN bridges are configured using the bridge-utils.

Charlie gets two network cards which are named eth0 and eth1 from its point of view. The first one is the uplink to the Internet, the second one is the interface to Isola and acts as the network gateway. XEN realizes those virtual adapters within the “real” world in Dom0 by the interfaces vif1.0 and vif1.1. The first one is bridged to peth0 for a real world connection. Vif1.1 will just end up at Isola. We need another virtual bridge to do so, hence, we create it as root using the bridge-utils.

Dom-0# brctl addbr br0

The name br0 is just a random name. The connection of the virtual XEN interfaces to this bridge is done by XEN automatically during the startup of the guest systems if configured in their configuration files. Edit Charlie’s config file /etc/xen/Charlie.cfg

vif = [ 'bridge=eth0', 'bridge=br0' ]

and Isola’s:

vif = [ 'bridge=br0' ]

Now boot Charlie and Isola.

Dom-0# xm create Charlie.cfg
dom-0# xm create Isola.cfg

Within Charlie now install Tor, OnionCat, and the bridge-utils. Configure Tor and OC appropriately. Let’s assume the Onion-URL aerukz4jvpg66ajd.onion. This corresponds to the IPv6 address fd87:d87e:eb43:0123:4567:89ab:cdef:0123. It is important to run OC in TAP-mode. TAP-mode is activated by the option -p. Start OC with the following command:

Charlie# ocat -p aerukz4jvpg66ajd.onion

OC will create a TAP device named tap0. As show in the picture above this adapter must be bridged to eth1. We use a new bridge for that.

Charlie# brctl addbr br0
Charlie# brctl addif br0 eth1
Charlie# brctl addif br0 tap0
Charlie# ifconfig br0 up
Charlie# ifconfig eth1 up
Charlie# ifconfig tap0 up

Charlie is now ready. Now let’s finalize it. All you have to do is to setup the IPv6 address on Isola. To do so bring up eth0 in Isola and then configure the IPv6 address. In theory this may be done with a single command but I sometimes I had troubles doing it at once on some Kernels.

Isola# ifconfig eth0 up
Isola# ifconfig eth0 add fd87:d87e:eb43:0123:4567:89ab:cdef:0123/48

With this setup Isola is exclusively within the OC network. There is no interface to any other network. It might be useful to add a second interface to Isola to do software updates but it should strictly be down during regular operation and should just be used during the time of updating the system.


Downloading android apps

Have you ever tried to download an Android App with your computer? It is a pain in the ass! There are countless pages which offer free downloads. But as soon as you click the download link you are either redirected to some other page or you are kindly request to register before downloading. Some pages even do not offer any download link at all although the advertise free downloads.

In my opinion this clearly is a violation of the term “free software download“. Free download means it is for free, i.e. you don’t have to pay for it and you can download it when ever and for what ever reason you like. Nobody has to care about. And this includes: no registration! Of course, this might be different for commercial software packages because there should happen some payment in the background. (Read more about the free software definition here.)

While searching the web for some Android packages (APKs) I found the following pages which seem to offer real free download of free Android packages without registration:


And those pages are just kidding you. Forget’em.

  • …and many more…

Android and WPA Enterprise

Recently, I acquired a new Android-based smart phone. Just to get familiar with it, playing around, and having phun with it.
Within the context of a research project dealing with voice encryption I was instructed to write some tools and apps on Android.

On our university we have a Wifi network running in WPA enterprise mode with PEAP and an inner MSChapV2 authentication. And surprisingly it worked straightaway. Well, not really. I had to install a Wifi configuration app. I used the Advanced Wifi Configuration Manager. But then it worked – great success!

Ok, let’s guess what is the first thing a typical geek will do with his Android phone? Yes of course, rooting and installing some custom image!

So I did. Originally an Ericsson customized Android 2.1 was running on my phone, and I upgraded to 2.2 and then 2.3. Currently I use GingerDX, a good Gingerbread mod. Thanks to doixanh!

Unfortunately, I noticed that the Wifi at the university campus did not work any more. Of course I blamed those network guys first for being unable to run a Wifi network since my WPA-PSK network at home still did work. But I further noticed that the Wifi on my notebook did still work, hence, I started to investigate what’s wrong with my Android phone.

If you google for it you’ll find a bunch of answers, e.g. this

Lot’s of people complaining about it. I found out that there is a known bug in wpa_supplicant provided with Android 2.2 but actually this was not true for my image. I think the reason is that there are so much different hand-crafted Andoid images out there that the problem cannot be generalized.

In my case the original installation was running a wpa_supplicant version 0.5.11 and it worked. After upgrading I didn’t work any more. For what every reason unpacking the update image during the installation procedure did not overwrite the old wpa_supplicant even though it was included in the zip file. Obviously, there seems to be some incompatibility between wpa_supplicant-0.5.11 and the responsible kernel module. Probably cfg80211 or mac80211 because WPA-PSK still did work.

What I did to resolve the problem is that I manually unzipped the Gingerbread image on my Linux computer and copied over the wpa_supplicant to the smart phone. This wpa_supplicant is of version 0.6.10 and immediately it worked pretty well.


High Perfomance XML, OpenSeamap, and OSM

Recently, we published a library for parsing XML files. We use a completely new approach to gain parsing performance. libhpxml is a stream parser written in C.

OpenSeamap is an open source project with the aim of creating a free sea chart. It is based on OSM and uses smfilter during the process of rendering. Smfilter is based on libhpxml.
Please feel free to check out the project pages of libhpxml and smfilter. Have fun with efficiently parsing XML 🙂


Manual rooting Android on Linux

A quick Google search for “Rooting Android” gives numerous results; mainly forum
posts of people looking for help but also lots of good (…and bad…) answers
with detailed instructions.
Most answers describe how to use SuperOneClick on Windows.
SuperOneClick simply is a front-end for copying and carrying out the exploit.
SuperOneClick is based on .NET version 2.0 or higher and the package contains a
version of ADB, the Android Debug Bridge. Usually it is part of the Android SDK.
With ADB you can for example copy files directly to the smartphone or open a
Linux shell.

Unfortunately, SuperOneClick did not work for me. I run Debian Linux (Kernel
2.6.32) on my computer and I tried execute SuperOneClick. It always hangs at
“Getting manufacturer…”. I tried to run SuperOneClick on WindowsXP in a VM but
it didn’t work either.

Before we start:
You do this at your own risk. We are not responsible if you damage your

So here we go:
First, download SuperOneClick from (Edit, 20140826: The original link seams to have disappeared, thus, you can download it from here.) Create a directory and unzip it.

mkdir foo
cd foo
unzip ../

Now cd into the directory ADB and make the Linux version of adb executable.

cd ADB
chmod 755 adblinux

Now connect your smart phone. Don’t mount the USB drive on your computer. On the
smart phone go to Settings/Applications/Development and activate USB Debugging.
Now test if adb can see the smartphone.
./adblinux devices
You should see something like this:

List of devices attached
4257323032BC4C34385A device

If you don’t get a device or a list of question marks it usually is just a
matter of permissions. The best way is to reconfigure udevd.
Find out the vendor id of your smartphone.
You get a list of devices. Somewhere you should see your smartphone and the
vendor id.

Bus 002 Device 070: ID 0fce:2149 Sony Ericsson Mobile
Communications AB Xperia X8 (debug)

Create the file /etc/udev/rules.d/50-android.rules and add the
following content:

SUBSYSTEM=="usb", ATTRS{idVendor}=="0fce", MODE="0666", GROUP="plugdev"

Restart udevd and check if adb sees your device.

sudo /etc/init.d/udev restart

Now we copy the exploit code, the su command, and the super user app to the

cd ..
ADB/adblinux push Exploits/psneuter /data/local/tmp
ADB/adblinux push Root/su-v3 /data/local/tmp
ADB/adblinux push Root/Superuser.apk /data/local/tmp

Now we open the adb shell and carry out the exploit.

ADB/adblinux shell

You should get a command prompt with a dollar sign.

$ cd /data/local/tmp
$ chmod 755 psneuter
$ ./psneuter

You will get disconnected. Reconnect to the shell. If it does not work
disconnect the device from USB and reconnect it. If this also does not work
reboot your smart phone and try to execute the exploit (psneuter) again. After
reconnecting you should be root. The prompt should now be a hash sign (#). Type
id and you will see uid=0.

Now remount the system drive in read/write mode. Type mount
and you will get a list of mounted devices. Finde the line with the
/system mount point.

/dev/block/mtdblock0 on /system type yaffs2 (rw)

Now remount it, copy the files to the system directory, and set the file mode

# mount -o remount,rw /dev/block/mtdblock0 /system
# cat su-v3 > /system/bin/su
# cat Superuser.apk > /system/app/Superuser.apk
# chmod 06755 /system/bin/su
# chmod 0755 /system/app/Superuser.apk

You should see the new app: Superuser. That’s all folks!
I tested this on a Sony Ericsson Xperia X8 running Android 2.1 and on a Samsung
Galaxy Mini running Android 2.2.

First Version of Garlicat released

Garlicat is a VPN adapter with dynamic IP configuration capability for the I2P network. Using Garlicat you can create an IP network on top of I2P.
What OnionCat is for Tor, Garlicat is for I2P.

Garlicat and Onioncat currently share 100% of its code base. The difference lies in some constants and “constant” variables.
Nevertheless, Garlicat was branched from the main branch because some slight code changes have been necessary. If everything turns out to be stable it will be merged back.

A quick HOWTO is found here and a source package can be downloaded here.

OS X Package of OnionCat available for testing

Onioncat Paket für Apple OS X ist verfügbar. Bitte probiert das paket mal aus und sendet eure Erfahrungen an:


Mailingliste für bug/success Berichte:

OS X packages has been built. Please download and test it. Send success reports or bugs to:


VMware 6.5.1 build-126130 on debian squeeze (current testing) segfault


VMware 6.5.1 build-126130 on debian squeeze (current testing) segfaults while installing. Setting gcc to gcc-4.1 doesn’t solve the problem. Misleadingly the installer quits with successfull installtion, but the log files reveal some segfaults, also vmware will segfault after starting it.

The problem seems to be that some definitions of the newer libc6-dev changed in respect to the one of lenny. That leeds to the case that it compiles but the modules and vmware will segfault.

Workaround: downgrade libc6 (and devs) to lenny (libc6_2.7-18_amd64.deb) just for installation of vmware. Upgrade back after installation.

dpkg -i –force-downgrade libc6_2.7-18_amd64.deb
dpkg -i –force-downgrade libc6-dev_2.7-18_amd64.deb
dpkg -i –force-downgrade libc6-i386_2.7-18_amd64.deb

install VMware 6.5.1 build-126130 by running the installer-bundle of VMWare and the reupdate to libc6 in squeeze again.
Note: Do not install, reboot, apt, or anything else, while the libs are in downgraded state. It might completely break your installation. Again: Just downgrade for VMware installation and upgrade afterwards again!

Dirty but it works!

I2P Project Leader zzz Emphasizes OnionCat Cooperation


In seinem Interview gegenüber zzz, der Projektleiter von I2P betont gut Zusammenarbeit mit unserem OnionCat-Projekt.

Der ganze Artikel befindet sich hier.

In his interview to zzz, the project leader of I2P emphasizes good cooperation to our OnionCat project.

Read full artice here.

XMPP/Jabber Service now available

XMPP/Jabber Server läuft jetzt unter: fd87:d87e:eb43:41b0:a32:f057:6dba:b205 jabber.onion.aio

Bitte tested das Service, Registration ist frei

Jabber Domäne: jabber.onion.aio

Getestete Clients: gajim und pidgin und kopete unter KDE 3.5 — Bitte Tested andere Clients

Server ist ejabberd

XMPP/Jabber Service is available in the OnionCat Network. Registration is free. Please Test

fd87:d87e:eb43:41b0:a32:f057:6dba:b205 jabber.onion.aio

jabber domain is: jabber.onion.aio

tested and approved clients are: gajim and pidgin and kopete on KDE 3.5

Server is: ejabberd

have fun testing