Bought a Hacked Antminer S9 - Help please

[wonder4life]

Hi All,

I just bought a Antminer S9 from eBay and found it seems a pre-hacked unit. I was wondering if anyone could suggest the fix for it and this could be an alert to other innocent people.

After setting up with my own mining pool accounts, I noticed that it won't show any mining status. I tried following:

1. Tried to setup different popular pools, such as antpool, nicehash, slushpool. None of them work.
2. Login to Antminer to run telnet the pool server with port(i.e. 3333). They are all connected.
3. I ran the netstat -ap, to see if it even tries to connect to my pool. Surprisingly I noticed bmminer continuously connects 3 or 4 tcp port 3333 and 443 on some Amazon AWS servers! None of the IP is my pool server.

The destination IP addresses seems keep changing after few minutes. It makes hard to block from firewall.

4. I tried to replace the bmminer with CGminer 4.9.2. It still behavior the same way!

Could you please help advice how to remove this hacked code, and let it to mine for me?

Your advise is highly appreciated!

Hunter

[1715385019]

1715385019

[1715385019]

1715385019

[1715385019]

1715385019

[1715385019]

1715385019

[ccgllc]

First things first... do a firmware update to the 04/17 firmware release and do NOT leave the "Keep Settings" checkbox set.  That should wipe most things out.

2nd choice:  Do a "Reset to Defaults", followed by the first choice.

[MinerMEDIC]

Worst case scenario and depending on the level of sophistication you may need to boot the controller from SD card, reset settings to default, and then feflash the firmware. In that order. BITMAIN recommends resetting settings before doing the flash.

The ZYNQ traditionally uses jumpers to determine what device to boot from, and there are jumpers but I've never seen any mention of what jumpers to change. Perhaps someone else has? Maybe BITMAIN did something else entirely?

[ccgllc]

Last exchange I had with Bitmain after fubaring a controller was that the S9 could not be booted from the SD Card.  Of course, they could have been blowing smoke...

[wonder4life]

Thanks for the suggestions!

I have tried to downgrade to 04/27/2017 firmware which is earliest version available at bitmain website. It seems the problem still there.

Here are the snapshot: of netstat -tap:

root@antMiner:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0     69 antMiner:46924          ec2-35-162-153-28.us-west-2.compute.amazonaws.com:3333 ESTABLISHED 1468/bmminer
tcp        0     69 antMiner:36458          60.205.122.75:3333      ESTABLISHED 1468/bmminer
tcp        0     69 antMiner:39357          ec2-52-37-56-165.us-west-2.compute.amazonaws.com:3333 ESTABLISHED 1468/bmminer


It shows this thing will mine for somebody else as long as it powered up and connected to Internet.

Could any one running Antminer S9 to confirm if you have similar issue, following these commands:

1. ssh to the Antminer S9 IP address, you could use Putty for Windows.
2. Issue this command:
netstat -tap

If you see it connects to those random IP:3333 from bmminer, it confirms that Bitmain would be the same to steal the mining power for themselves.

[EricJH801]

Return it for a refund?

Thanks for the suggestions!

I have tried to downgrade to 04/27/2017 firmware which is earliest version available at bitmain website. It seems the problem still there.

Here are the snapshot: of netstat -tap:

root@antMiner:~# netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0     69 antMiner:46924          ec2-35-162-153-28.us-west-2.compute.amazonaws.com:3333 ESTABLISHED 1468/bmminer
tcp        0     69 antMiner:36458          60.205.122.75:3333      ESTABLISHED 1468/bmminer
tcp        0     69 antMiner:39357          ec2-52-37-56-165.us-west-2.compute.amazonaws.com:3333 ESTABLISHED 1468/bmminer

[SGMPhil]

It is interesting that you have those 3 connections if you have not configured the device. Have you tried changing the configuration to mine using your pool URLs?

[wonder4life]

This is what I got after I configured my three pools. None of mine worked, showing nothing in the mine status page.

It is interesting that you have those 3 connections if you have not configured the device. Have you tried changing the configuration to mine using your pool URLs?

[HagssFIN]

Have you tried these?

First install this:
Antminer S9 - Package to Fix Upgrade Failure
http://shop.bitmain.com/support.htm?pid=007201611260753443104jm60Q6L0639

And then install the newest firmware:
For autotune frequency model:Antminer-S9-all-201711171757-autofreq-user-Update2UBI-NF.tar.gz
https://file.bitmain.com/shop-file-server/firmwares/Antminer%20S9/Firmware/00720170428120943064Xx38xD7Y0683/Antminer-S9-all-201711171757-autofreq-user-Update2UBI-NF.tar.gz

For fixed frequency model: Antminer-S9-all-201705031858-600M-user-Update2UBI-NF.tar.gz
https://file.bitmain.com/shop-bitmain/download/Antminer-S9-all-201705031858-600M-user-Update2UBI-NF.tar.gz

[Raymond_B]

This is what I got after I configured my three pools. None of mine worked, showing nothing in the mine status page.

It is interesting that you have those 3 connections if you have not configured the device. Have you tried changing the configuration to mine using your pool URLs?

Who do you use for your pool?

The reason I ask is that most of these pools are hosted in the cloud. So the IP address you see in netstat is just one of the AWS nodes.

Here's an example of Slushpool



I should say, that this doesn't mean you miner is safe, but if the node is part of your pool's setup then you should be clear in that aspect.

[ccgllc]

Could any one running Antminer S9 to confirm if you have similar issue, following these commands:

1. ssh to the Antminer S9 IP address, you could use Putty for Windows.
2. Issue this command:
netstat -tap

If you see it connects to those random IP:3333 from bmminer, it confirms that Bitmain would be the same to steal the mining power for themselves.

From an S9 that reports at the miner its running at 14.26 TH/Sec, that Slushpool reports as running at 13.75 TH/Sec

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:6060            0.0.0.0:*               LISTEN      30425/single-board-
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      1251/lighttpd
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      1232/dropbear
tcp        0      0 0.0.0.0:4028            0.0.0.0:*               LISTEN      30448/bmminer
tcp        0      0 antMiner-18.local:36891 ec2-54-204-120-204.compute-1.amazonaws.com:3333 ESTABLISHED 30448/bmminer
tcp        0    300 antMiner-18.local:ssh   172.16.4.11:62512       ESTABLISHED 31391/dropbear
netstat: /proc/net/tcp6: No such file or directory

As the previous posted pointed out, Slushpool with AWS.

[fanatic26]

If you see it connects to those random IP:3333 from bmminer, it confirms that Bitmain would be the same to steal the mining power for themselves.

Stop spreading this bitmain fud. Think you are the only person to run a netstat on your miner in the last few years? That you magically figured out bitmain is stealing from a single command when noone else could?

You bought a miner from someone OTHER than bitmain. Thats your problem. It is not bitmains fault.