Show Posts
WARNING: There are version of the Z9 Mini that pretend to be "batch1" but are actually malware floating around! I don't care where you get your batch1 firmware, but please make sure the md5sum matches this:
0682b350dd8b53d62a11231d16d133a7 Antminer-Z9-Mini-201805262047-500M.tar.gz
Any other variant is *NOT* factory. I do provide this at the bottom of my webpage at https://releases.broked.net
If you have a ".antminers" in /config, you have bad firmware...
This firmware copies /config/.antminers to /usr/bin/ntpd and starts it up .... a fake ntpd.
What it does past that point, I do not yet know.
The short story:
I just spent the last couple of hours working with a user who purchased 3 minis from ebay that came with what looked like batch1 firmware but actually was not. Attempts to replace the firmware resulted in some very crazy situations... and the inability to actually replace the firmware anymore... it would pretend to update, but not actually update.
I do not have a copy of the full "malware" firmware, but I did collect forensics data from the machines and will analyze it as I can.
It pretends to be "ntp" but is actually /config/.antminers which is started upon boot.
Removing it was kind of a pain in the rear, but can be done.
I will update this with more information as I have some time.
Thank you,
Jason
0682b350dd8b53d62a11231d16d133a7 Antminer-Z9-Mini-201805262047-500M.tar.gz
Any other variant is *NOT* factory. I do provide this at the bottom of my webpage at https://releases.broked.net
If you have a ".antminers" in /config, you have bad firmware...
Code:
$ cat dropbear
#!bin/bash
NO_START=0
cp -rf /config/.antminers /usr/bin/ntpd
/usr/bin/ntpd -p /var/run/ntp.pid -g
This firmware copies /config/.antminers to /usr/bin/ntpd and starts it up .... a fake ntpd.
What it does past that point, I do not yet know.
The short story:
I just spent the last couple of hours working with a user who purchased 3 minis from ebay that came with what looked like batch1 firmware but actually was not. Attempts to replace the firmware resulted in some very crazy situations... and the inability to actually replace the firmware anymore... it would pretend to update, but not actually update.
I do not have a copy of the full "malware" firmware, but I did collect forensics data from the machines and will analyze it as I can.
It pretends to be "ntp" but is actually /config/.antminers which is started upon boot.
Removing it was kind of a pain in the rear, but can be done.
I will update this with more information as I have some time.
Thank you,
Jason
Thanks Jason for this info, I bought a couple of z9minis off Aliexpress, and they have this malware issue. After running for several days, reconfigured to https://www.nicehash.com/miner/3CJgXokLQrRCQcEoftS7MbPDSXhXpX6P55 and stole my hashing power.
regards
Graeme
