in Technology

on hacking the Unisys ICON

Some time ago I had promised to reminisce a little bit about the Unisys ICON terminals that I used through elementary school and high school, and some of the fun things we did with them (not all of them sanctioned by the school, of course). After reading in ;login: magazine about Dru Lavigne’s efforts [USENIX members only] to catalogue old protocols, I’ve been inspired to add a few words about the trusty old ICON.

The Unisys ICON was a diskless client-server setup, with 80186-based ICON terminals netbooting off a central file server called the LexICON. You can see a picture of a standard ICON terminal on the Wikipedia page but the LexICON is not shown; it was a generic steel box about 6″ high and 2-3 feet deep, containing one full-height MFM/RLL hard disks mounted vertically, in addition to a 5 1/4″ floppy disk drive. It was also possible to hook up a standard EGA video monitor to the LexICON in order to have local console access (one of the non-sanctioned things we did in the computer lab)

The hardware itself was all rather amusing as it was obviously constructed in the days when steel was cheap; each ICON terminal weighed over 50 lbs. when the monitor was bolted to the chassis. The most interesting thing about the whole setup was not the hardware, but the fact that the LexICON and all the ICON terminals ran an early version of QNX. QNX included all kinds of nifty utilities such as apb, which is functionally equivalent to wall(1) on a modern UNIX system. You can see how annoying this program would be in the hands of high school students, so the system administrators had wisely chmod -x‘d the program.

Nevertheless, there was fun to be had since the ICONs shipped with Watcom‘s C compiler pre-installed and a complete set of the printed UNIX manual pages in binders, conveniently stored in the computer lab. I discovered that hacking around in C was much more interesting than the teacher-sanctioned PASCAL or Turing, and my fellow students and I spent many hours poring over the man pages for fun functions to call. We soon discovered that the QNX version of exec(3) had a major security flaw: it worked kind of like clone(2), and not only could you clone the calling process, but you could specify the PID of any arbitrary process on the system to clone — including PID 0. You could also set a flag to inherit all permissions from the parent! So a simple one-line C program like

exec("/bin/sh", 0, CLONE_PERM)

is all it would take to get you a root shell on the box.

We subsequently disassembled the existing apb program and wrote our own, in addition to programs for manipulating users’ displays (e.g. turning them upside down, inverting the colours, etc.) The educational authorities were not amused and we were given a stern speaking-to and told to destroy all copies of our software from the LexICON. I did back them up on a floppy disk, although I doubt the floppy is readable by now.

And that’s the story of how I first got interested in UNIX-like operating systems!

Write a Comment

Comment

  1. Hello,

    I was wondering if you would know where a unisys Icon could be had. I remember using them when I was a kid, and am now interested in hooking one up…

    Spence

  2. lol, i remember those 🙂
    I remember if you hit Ctrl-Rubout it would break the windowmanager, and drop you to a command prompt. I'm pretty sure you could also break the "login", and drop to a superuser prompt, not that any school changed root's password (superuser) or administrator (maintance) and iladministrator (maintance).
    Ah QNX, it was the reason I learned C. In all seriousness, the Icon speech engine was pretty awesome and actually, it was a pretty complete system – too bad it lost popularity. I really would love a few icon 3's to play around with 🙂

  3. It's a little late, but I went out in search of these systems stumbling upon an old-computers.com site and the Wikipedia page, now, I remember these systems in elementary school.. entire computer labs, daisy chain coaxial networking… Cross Country Canada, but I do not remember *any* Unix aspect at all.

    When I read they ran Unix I was so mad at myself for not buying these systems when most schools sold them years ago… It's sad that I never once noticed a Unix prompt on one of these interesting computers, it's a real shame. 🙁

  4. LOL, this is EXACTLY how I got into UNIX as well. Man QNX was pretty neat.

    i remember thinking that "chatter" was a "chat" program and i couldn't figure out how to get it to work 🙂

    did you know that each terminal itself was a "tty" so you could send the output (or input of another tty) to a command, or your own terminal?

    those where the days 🙂

  5. very cool. I remember using these systems back in early grade school. I remember playing the games Mathmaze and Offshore Fishing. If there were others I don't remember them.

    Gotta love the old built in track ball. I remember going nuts on it trying to reel in a shark playing Offshore Fishing haha

  6. I loved QNX. It’s biggest downfall was if you lost your password, someone had to physically edit the password file. This was also my “IN” on the system. After a superuser logged out, you could hit CTRL-C (or possibly CTRL Rubout) and it would drop you right back to the superuser $ prompt. I decided that editing the password file was not a good idea, as people learned to shoulderhawk you and the superuser and group leader passwords were always at the top of the file. I created the SuperUser utilities with commands like getpass, chpass, getstat, chstat (for changing group/member numbers) and other utilities eliminating the need to edit the password file. Other utilities like whois (so you could do “whois 255,255” to see if any other superusers were created etc). I also figured out how to run commands on neighbouring terminals…which would freak out people. I loved them. I’d love to find one some day. I’ll never forget the day I CHATTRed the root directory making my regular user the owner….well, that just brought it to it’s knees, and it had to be wiped and reloaded from scratch. They never did figure out what happened…LOL. After that I just stuck a few lines into the boot file that would copy the password file to my directory and make me the owner of it, since the lexicon booted in superuser mode. They eventually just made me the system administrator sisnce they couldn’t figure out how I was able to always be a superuser whenever I wanted! LOL.

    • I did the same thing, back in ’85, when I inadvertently sat down at the terminal that the school’s network administrator had been sitting at. I accidentally popped right back to the $. I typed wmi… it responded, “larry.” Then I typed passcheck larry… and it gave me the password that is still the rootword in my password, today. Then I created a couple of % users for myself, and hijacked his $ superuser account. I changed the user name and password. Was pretty fun for about 1.5 days, until I was called down to the Principal’s office. He asked me if I knew anything about computers, and I told him no. Which was pretty much true, except for being proficient at intermediate basic programming (PET & Vic20,) plus some Apple IIe experience. All I could clearly see on the sheet in front of the Principal, was CONFIG.SYS. I knew what he wanted to talk about. They brought in a specialist who was able to override my $. He even found my 2 % users and deleted them. ‘backdoor ‘trace” — I honestly didn’t even think that it was a crime to mess with computers like that. Guess I’m lucky I was just a kid.