Bitcoin Forum
October 27, 2021, 11:12:00 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: 1 2 3 [All]
  Print  
Author Topic: Antminer Hack S9 /S15 / S17 / Sx aso. SSH and so on for free  (Read 3009 times)
fubly
Hero Member
*****
Offline Offline

Activity: 557
Merit: 517


Trustless IceColdWallet


View Profile WWW
June 05, 2019, 12:22:47 AM
Last edit: July 10, 2019, 10:20:54 PM by fubly
Merited by thierry4wd (2), OgNasty (1), hugeblack (1), Artemis3 (1)
 #1

HACK FIRMWARE and SSH and EXPLOIT for free

FIRMWARE


Code:
vi /www/pages/cgi-bin/upgrade.cgi

  • remove line 45,46,46,48,49,50,51,52,77,78 (move with up and press d to remove a line. 77 and 78 are the last fi on that function)
  • press ESC : wq
  • open your antminer website and upload what ever you want

SSH on any Antminer


Code:
dropbearkey -t rsa -f /config/dropbear_rsa_host_key -y

  • reboot -f
  • power off your antminer
  • disconnect ftdi
  • power on
  • login via ssh as usual

EXPLOIT Antminer (not only S15 or 17)

The exploit uses a security issue on Lighttpd!

  • research your self
  • if you use Kali Linux search for XSS, Lighttpd, remote execution
  • It's hard to find but not impossible!
  • do not spend any cent on this exploit use the above instructions
  • if you have found the script use dos2linux to convert the script (it's a Win script)
  • the code to execute is: dropbearkey -t rsa -f /config/dropbear_rsa_host_key -y
  • Why? Because if you set a new dropbearkey ssh service will start from alone Grin

Stop PM me if you will not pm your real name to me!

Hint: It works also above 1.4.32 Grin

each time you send a transaction don't forget to use a new address, each time you receive one also!
1635333120
Hero Member
*
Offline Offline

Posts: 1635333120

View Profile Personal Message (Offline)

Ignore
1635333120
Reply with quote  #2

1635333120
Report to moderator
1635333120
Hero Member
*
Offline Offline

Posts: 1635333120

View Profile Personal Message (Offline)

Ignore
1635333120
Reply with quote  #2

1635333120
Report to moderator
1635333120
Hero Member
*
Offline Offline

Posts: 1635333120

View Profile Personal Message (Offline)

Ignore
1635333120
Reply with quote  #2

1635333120
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1635333120
Hero Member
*
Offline Offline

Posts: 1635333120

View Profile Personal Message (Offline)

Ignore
1635333120
Reply with quote  #2

1635333120
Report to moderator
1635333120
Hero Member
*
Offline Offline

Posts: 1635333120

View Profile Personal Message (Offline)

Ignore
1635333120
Reply with quote  #2

1635333120
Report to moderator
PassThePopcorn
Sr. Member
****
Offline Offline

Activity: 469
Merit: 308


View Profile
June 05, 2019, 02:00:59 PM
 #2

Do you know the pinout for the ftdi to connect it to the miner? or would any console cable work?
https://www.amazon.com/dp/B07MY6F8TP/
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
June 26, 2019, 05:07:18 PM
 #3

I have everything but dont work, what is supposed to use as terminal to login, Putty or coolterm?
We need to connect energy to the databoard or not?
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
July 04, 2019, 12:42:27 AM
 #4

I have everything but dont work, what is supposed to use as terminal to login, Putty or coolterm?
We need to connect energy to the databoard or not?

Power the controller, no need for hashboards.
This is a serial link, old fashioned method you may not be familiar with depending on your age, so use a serial terminal, not ssh client; forget putty.

If you do it correctly you should get a prompt when you plug the cable and hit enter; probably login and password.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
July 05, 2019, 01:41:17 AM
Last edit: July 06, 2019, 03:55:37 AM by frodocooper
 #5

Putty can use serial terminal too, but i use coolterm and i cant get nothing.
Why there is no connections scheme, can someone put some pictures of the connections scheme?
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
July 05, 2019, 01:39:15 PM
Last edit: July 06, 2019, 03:55:53 AM by frodocooper
 #6

Why? Did you made the cable yourself? Just search online for FTDI usb cable pinout... I believe it involves a chip, due to usb, unless you want to make a direct rj45 to serial which i happen to have one lol. Cisco switches and such use them in both the true serial and usb variants that go into an rj45 jack and serial/usb on the other side. Oh, if you are using a true serial port, make sure its enabled in the bios. Some bios are set to "auto" and won't turn it on if nothing is plugged at boot.

I haven't touched putty in over a decade, but if it can do true serial then its a matter of picking the right port and speed parameters (115kbps 8,n,1).
If unsure test the program with something else if you have anything that still connects via serial (such as the aforementioned router, or an old fashioned pc).

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
s3binator
Newbie
*
Offline Offline

Activity: 14
Merit: 16


View Profile
July 07, 2019, 09:53:34 PM
 #7

For the exploit, I searched and tried the few exploits on exploit-db. I haven't found anything thats a windowns script. The others didin't seem to work (were for older versions than lighttpd 1.4.32, which is whats on the newest firmware.) Has anyone else had more luck?

Thanks
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
July 10, 2019, 06:32:05 AM
 #8

Why? Did you made the cable yourself? Just search online for FTDI usb cable pinout... I believe it involves a chip, due to usb, unless you want to make a direct rj45 to serial which i happen to have one lol. Cisco switches and such use them in both the true serial and usb variants that go into an rj45 jack and serial/usb on the other side. Oh, if you are using a true serial port, make sure its enabled in the bios. Some bios are set to "auto" and won't turn it on if nothing is plugged at boot.

I haven't touched putty in over a decade, but if it can do true serial then its a matter of picking the right port and speed parameters (115kbps 8,n,1).
If unsure test the program with something else if you have anything that still connects via serial (such as the aforementioned router, or an old fashioned pc).

I bought one already cable in Amazon from USB to RJ45, but like i told you nothing works.
The connections are in the RJ45 or in the boards points like old JTAGs ?
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
July 10, 2019, 12:56:10 PM
 #9

I bought one already cable in Amazon from USB to RJ45, but like i told you nothing works.
The connections are in the RJ45 or in the boards points like old JTAGs ?

Both apparently. I did saw the 3 pin header on S9s, but this may vary with controller model/revision.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
fubly
Hero Member
*****
Offline Offline

Activity: 557
Merit: 517


Trustless IceColdWallet


View Profile WWW
July 10, 2019, 10:03:35 PM
 #10

I have everything but dont work, what is supposed to use as terminal to login, Putty or coolterm?
We need to connect energy to the databoard or not?

see the first post (edited today)!

each time you send a transaction don't forget to use a new address, each time you receive one also!
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
July 14, 2019, 09:28:58 PM
Last edit: July 15, 2019, 03:42:28 AM by frodocooper
 #11

Both apparently. I did saw the 3 pin header on S9s, but this may vary with controller model/revision.

Both? If both where is diagram for board connections?
This post seems a joke!

see the first post (edited today)!

This sounds like one enigma, why dont do this like if this was for very stupid people?
Put some pictures of connections, or a video in youtube, why not?
bruiser
Member
**
Offline Offline

Activity: 68
Merit: 12


View Profile
July 15, 2019, 10:22:25 AM
 #12

Or you can do it without buying any tools: https://asicseer.com/page/security-restoring-ssh

We released it for free. If you like the tool, try ASICseer itself Smiley
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
July 15, 2019, 02:54:39 PM
Last edit: July 16, 2019, 03:48:05 AM by frodocooper
Merited by frodocooper (5)
 #13

[...]

Why? Have you never done serial? You just need 3 wires: TXD RXD and GND which corresponds to pins 2, 3 and 5 in a standard db-9 plug. You might need to swap TXD and RXD if you got it wrong. Don't ask me about usb because that's a whole new can of worms.



To clarify in case you somehow got it wrong: You can use either port, the rj45 or the 3 pin header for serial communications. "Both" should work... Using an rj45 for serial communications is old. The port knows when you plug this type of cable instead of Ethernet in devices with serial, there is nothing special about this. But in addition there happens to be a 3 pin header that appears to be the same. Just ignore the 3 pin header if you don't get it.

RJ-45 PinSignalDB-9 PinSignal
1RTS8CTS
2DTR6DSR
3TXD2RXD
4GND5GND
6RXD3TXD
7DSR4DTR
8CTS7RTS

https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/specifications/port-rj45-db9-adapter-pinout.html

You could wire them all if you are bothered with hardware control, but my made by Cisco version cable didn't bother. I don't think they use it (cts/rts) anyway, or the data ready pins.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
tim-bc
Full Member
***
Offline Offline

Activity: 549
Merit: 172


View Profile
July 22, 2019, 07:20:20 PM
 #14

Or you can do it without buying any tools: https://asicseer.com/page/security-restoring-ssh

We released it for free. If you like the tool, try ASICseer itself Smiley
This tool doesn't work, I've already tried it, others have too with no luck.

Also asicseer has devfee and some of the devs / leaders are bcash proponents

Ignore scammers on Skype, Telegram, etc. I will only ever contact you via forum PMs. See profile for fingerprint.
darkv0rt3x
Full Member
***
Offline Offline

Activity: 242
Merit: 135


What is this?


View Profile
July 23, 2019, 07:05:04 PM
 #15

What are the advantages of performing this hack? What can we do with it that cannot be done without it?

Minning Revolution - É possível, caralhoooo....
Lightning Node URI: 03fef777d58a529df02a3fb267690e0c9033767b555cc1c63844bb2d3498789f91@2obm3yvfj5m3zabnea5y2xolimeuc4gbelika3pa7div5pk2eolqrtad.onion:9735
s3binator
Newbie
*
Offline Offline

Activity: 14
Merit: 16


View Profile
July 24, 2019, 11:40:47 PM
Merited by frodocooper (3), OgNasty (1)
 #16

What are the advantages of performing this hack? What can we do with it that cannot be done without it?

The newest bitmain firmware disables ssh on boot, therefore you can not ssh into machines. Its not a big deal if you have a few machines, but there are many farms out there with hundreds or thousands of miners that automate configuration and reboots using software, this new firmware removes the ability.

They quote "security", but its bologna. Why not give the end user a choice to turn ssh on or off through portal. Any end user with a couple machines can turn ssh off, and farms that tunnel through firewalls can leave it on, our choice.  They are purposely making larger mining operations lives harder to get an upper hand.
darkv0rt3x
Full Member
***
Offline Offline

Activity: 242
Merit: 135


What is this?


View Profile
July 25, 2019, 12:54:56 PM
Last edit: July 26, 2019, 03:29:56 AM by frodocooper
 #17

Ah ok. I got it. Absolutely agreed. There's no point in avoiding SSH connections because sooner or later someone will make it happen one way or another.

What about the exploit? What can one do with it?

Minning Revolution - É possível, caralhoooo....
Lightning Node URI: 03fef777d58a529df02a3fb267690e0c9033767b555cc1c63844bb2d3498789f91@2obm3yvfj5m3zabnea5y2xolimeuc4gbelika3pa7div5pk2eolqrtad.onion:9735
tim-bc
Full Member
***
Offline Offline

Activity: 549
Merit: 172


View Profile
July 25, 2019, 08:15:47 PM
 #18

The newest bitmain firmware disables ssh on boot, therefore you can not ssh into machines. Its not a big deal if you have a few machines, but there are many farms out there with hundreds or thousands of miners that automate configuration and reboots using software, this new firmware removes the ability.

They quote "security", but its bologna. Why not give the end user a choice to turn ssh on or off through portal. Any end user with a couple machines can turn ssh off, and farms that tunnel through firewalls can leave it on, our choice.  They are purposely making larger mining operations lives harder to get an upper hand.

You can do all necessary configurations, get kernel logs, do reboots etc. all through the cgi pages on the web portal. It is actually much faster than SSH on these miners because they always sit for a few seconds before you can connect via ssh.

Large mining operations can easily have someone to tweak their scripts and how they do configurations. However, unexperienced and smaller users who are clueless could easily get an ssh virus if any infected miners or control boards are put on the same network.

Ignore scammers on Skype, Telegram, etc. I will only ever contact you via forum PMs. See profile for fingerprint.
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
July 25, 2019, 11:32:38 PM
Last edit: July 26, 2019, 03:31:11 AM by frodocooper
Merited by frodocooper (2)
 #19

You can do all necessary configurations, get kernel logs, do reboots etc. all through the cgi pages on the web portal. It is actually much faster than SSH on these miners because they always sit for a few seconds before you can connect via ssh.

Large mining operations can easily have someone to tweak their scripts and how they do configurations. However, unexperienced and smaller users who are clueless could easily get an ssh virus if any infected miners or control boards are put on the same network.

This is not true and it probably means your LAN or your computer aren't performing properly, or you are using Putty or some bloated windows client rather than proper openssh from a proper operating system.

The other reason most people want ssh access is to enable the other api controls that require editing some text file. There is also diagnostics and the multitude of things you can do from a proper Linux box, as these controllers actually are, such as network debug and configuration. I have often changed dns via ssh which from ui requires a reboot which is a travesty.

And yes there are the people using scripts to automate things, why not? you can do the whole thing without ever looking at the web ui. How are you seriously going to say that a web ui is faster than a text console? It is an order of magnitude slower, simply by data transferred alone lets ignore web browser rendering... Have i seen Bitmain miners with the web ui stuck that are actually still mining? Yes i have...

s3binator is right, the alleged "security" thing is bologna, and yes, a simple ui option would at least give the owner a choice, but they don't care. Want security? Start with setting a proper password, then remove all windows computers from your mining lan, which is how 90% of the malware gets in.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
darkv0rt3x
Full Member
***
Offline Offline

Activity: 242
Merit: 135


What is this?


View Profile
July 26, 2019, 09:32:35 PM
 #20

Hum, ok. I've learnt more in the last few posts here than with the thread instructions themselves.

I use Linux at home by default and I like the advantages of not have to deal with constant bugs and errors of window based systems and applications. I absolutely agree witht he problem of 90% or more of malware spreading mostly through Windows machines. Nothing like a terminal to avoid a ton of problems!

I like the idea of being possible to access miners through an SSH connection. If I have get a miner in my hands, I'll try to do everything via terminal!

Thanks
DarkV

Minning Revolution - É possível, caralhoooo....
Lightning Node URI: 03fef777d58a529df02a3fb267690e0c9033767b555cc1c63844bb2d3498789f91@2obm3yvfj5m3zabnea5y2xolimeuc4gbelika3pa7div5pk2eolqrtad.onion:9735
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
July 27, 2019, 07:24:01 AM
Last edit: July 29, 2019, 01:22:23 AM by frodocooper
 #21

Or you can do it without buying any tools: https://asicseer.com/page/security-restoring-ssh

We released it for free. If you like the tool, try ASICseer itself Smiley

This is just for S9, we are talking about S15/S17, solutions for that?

You can do all necessary configurations, get kernel logs, do reboots etc. all through the cgi pages on the web portal. It is actually much faster than SSH on these miners because they always sit for a few seconds before you can connect via ssh.

Large mining operations can easily have someone to tweak their scripts and how they do configurations. However, unexperienced and smaller users who are clueless could easily get an ssh virus if any infected miners or control boards are put on the same network.

Tim, in a S15 you can easily overclocking it to do 33TH and oficially it just do 28TH its a big difference and Bitmain dont allow people to do it with web interface.

Why? Have you never done serial? [...]

I have done serial in past, but new computers uses USB, i have a USB to RS232 adapter and worked always fine in things i need, but this time i have one USB to RJ45 and program detects well but dont do nothing!

Do you have one working? I can pay for one that works, you can post a video doing it and showing it?
supersonic
Full Member
***
Offline Offline

Activity: 195
Merit: 104



View Profile
August 11, 2019, 03:47:42 PM
Last edit: August 11, 2019, 11:19:07 PM by frodocooper
 #22

Power the controller, no need for hashboards.
This is a serial link, old fashioned method you may not be familiar with depending on your age, so use a serial terminal, not ssh client; forget putty.

If you do it correctly you should get a prompt when you plug the cable and hit enter; probably login and password.

It works either through putty or cooltherm, problem i had was when prompted for login, i couldnt type anything, tho led light was blinking on controller when i tried.

Nice from far but far from nice
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
August 12, 2019, 06:01:33 PM
Last edit: August 13, 2019, 02:13:06 AM by frodocooper
 #23

That sounds like your terminal has the wrong echo configuration. I am not exactly sure how good something like putty is for serial communications as i have never ever tried it for that. Anyway whatever terminal you use, try to find out how to change the echo configuration so it shows the characters you are sending instead of waiting for remote to send them back.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
August 13, 2019, 03:28:13 AM
Last edit: August 13, 2019, 11:01:49 AM by frodocooper
 #24

Artemis, this is a post just to try to make Bitmain thinks there is solution?

I ask this because the only guys that say they can open SSH they ask a lot of money in bitcoin and they say just work with >100 units and they dont give solutions for free!

In this conditions i have the solution too, i can pass my BTC address to anybody that wants to pay!!!!

Here we have ppl saying the pinout of FTDI needs to be connected to RJ45 port?!!!!!! I never saw that in all my life!

I spoke with some guys that say there is special points in board to make the connections, here nobody prints pictures of a scheme or a link to youtube, so, this is real or just another myth?

Have you already tried and worked or have any other guy here tried and worked that can post a real scheme with real pictures or youtube video?

P.S,- There is some guys that are trying since the beginning of the year to get funds in bitcoin to pay to White Rabbit post solution that is supposed to be the creator of exploit and they still trying to collect more money, so for me this seems just a fake, can someone prove i am wrong?
bommachine
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
August 13, 2019, 08:42:52 AM
Last edit: August 13, 2019, 11:02:24 AM by frodocooper
 #25

Has anyone tried the instructions in the following link?

https://forum.hiveos.farm/t/antminer-s17-t17-support/12415
It’s based on a lighthttpd exploit on firmware version 0527 which is longer available to download.

If anyone has this firmware could they share with us so we can test.

Another method I’m going to try is to change the firmware myself and then reupload, but not sure that will work.
fubly
Hero Member
*****
Offline Offline

Activity: 557
Merit: 517


Trustless IceColdWallet


View Profile WWW
August 13, 2019, 10:22:57 AM
 #26

New hint:
this exploit will not work, wrong parameters in curl, will only work on already opened firmware.

There is no create_log_backup.cgi, just on very old ones create_conf_backup.cgi. So it's the wrong CGI file to inject the code!
Good luck, and note nothing is for free.

each time you send a transaction don't forget to use a new address, each time you receive one also!
bommachine
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
August 13, 2019, 11:17:57 AM
 #27

Cool I’ve got copies of the old firmware so I’ll test. Once I know the version of lighthttpd it will be quite easy to find the appropriate exploit if it does exist.
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
August 13, 2019, 10:50:46 PM
 #28

Artemis, this is a post just to try to make Bitmain thinks there is solution?

If i were you, i would use the sdcard method and be done with it. Don't ask me about the newer units as i haven't touched one (yet).

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
DrHyed
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
August 14, 2019, 10:19:14 PM
 #29

Ive been tryng to downgrade the firmwear my T9+ for about a week and Im having no luck. The board will not take a sd card flash no matter what I try, I am not technical enough to truly dig in to the firmware (though I did try for about 1.5 days...) so I bought a ftdi but Im not having any luck with it either. I have cooltherm and the ft232 drivers installed and the pin outs connected correctly to the t9+ board and ftdi but I am not prompted to log in when I open cooltherm or plug the ftdi into the computer or press the connect button inside cooltherm. I have the baud rate at 115000, the miner board is powered up, what am I missing? How do I make the ftdi and miner board talk? Im assuming once they are communicating I can modify the bin file (or whatever its called specifically) via cooltherm and then upgrade/downgrade out of the ssh version of the firmwear thats on my board at the moment? Sorry for all the questions, ill get this newb knocked off me soon I promise!

Thank You
Jay
BitMaxz
Legendary
*
Online Online

Activity: 2324
Merit: 1826


Lock down again :(


View Profile
August 14, 2019, 11:42:29 PM
 #30

Ive been tryng to downgrade the firmwear my T9+ for about a week and Im having no luck. The board will not take a sd card flash no matter what I try, I am not technical enough to truly dig in to the firmware (though I did try for about 1.5 days...) so I bought a ftdi but Im not having any luck with it either. I have cooltherm and the ft232 drivers installed and the pin outs connected correctly to the t9+ board and ftdi but I am not prompted to log in when I open cooltherm or plug the ftdi into the computer or press the connect button inside cooltherm. I have the baud rate at 115000, the miner board is powered up, what am I missing? How do I make the ftdi and miner board talk? Im assuming once they are communicating I can modify the bin file (or whatever its called specifically) via cooltherm and then upgrade/downgrade out of the ssh version of the firmwear thats on my board at the moment? Sorry for all the questions, ill get this newb knocked off me soon I promise!

How about the jumper? Did you know that you need to move the jp4 jumper before you flash the miner.
Check this guide on how to flash the antminer t9+ with SD card from here "T9+ Control Board Program Recovery"

About FTDI I think this tool is only for old ASIC miner.
Check this thread from here https://bitcointalk.org/index.php?topic=831601.0

cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
August 15, 2019, 01:27:23 AM
Last edit: August 16, 2019, 03:53:08 AM by frodocooper
 #31

If i were you, i would use the sdcard method and be done with it. Don't ask me about the newer units as i haven't touched one (yet).

I think there is no solution yet to boot with SDCARD in a S15 machine.



New hint:
this exploit will not work, wrong parameters in curl, will only work on already opened firmware.

There is no create_log_backup.cgi, just on very old ones create_conf_backup.cgi. So it's the wrong CGI file to inject the code!
Good luck, and note nothing is for free.

If nothing is for free these post makes no sense!
There is many things free in this life like air, sunlight, rain...

Ok, even if we need to pay it, someone have the contact of someone that can unlock machines remotly for a fair price?

If everybody could unlock and overclock machines the hashrate would grow up, without hashrate going up, bitcoin cant go up, all we want bitcoin going up, so teoretically the guys that have the solution could post the solution and they could earn in bitcoin valorization, the problem is that guys are very smart in somethings but not so smart in another.

If i had the solution i would post for everybody.
supersonic
Full Member
***
Offline Offline

Activity: 195
Merit: 104



View Profile
August 21, 2019, 07:17:17 AM
 #32

That sounds like your terminal has the wrong echo configuration. I am not exactly sure how good something like putty is for serial communications as i have never ever tried it for that. Anyway whatever terminal you use, try to find out how to change the echo configuration so it shows the characters you are sending instead of waiting for remote to send them back.
Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

Nice from far but far from nice
tim-bc
Full Member
***
Offline Offline

Activity: 549
Merit: 172


View Profile
August 21, 2019, 10:42:25 PM
Last edit: August 21, 2019, 11:18:45 PM by frodocooper
 #33

Tim, in a S15 you can easily overclocking it to do 33TH and oficially it just do 28TH its a big difference and Bitmain dont allow people to do it with web interface.

I agree that's a huge issue.. unfortunately there is no S15 firmware that allows for ssh, we should at least have the choice to use ssh if needed.

I don't have any S15 yet, might want to contact Alex as it seems he's got ssh working on his S15? https://www.youtube.com/watch?v=UJv6rrUNU60.

Ignore scammers on Skype, Telegram, etc. I will only ever contact you via forum PMs. See profile for fingerprint.
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
August 22, 2019, 11:09:15 PM
Last edit: August 22, 2019, 11:26:01 PM by frodocooper
 #34

I agree that's a huge issue.. unfortunately there is no S15 firmware that allows for ssh, we should at least have the choice to use ssh if needed.

I don't have any S15 yet, might want to contact Alex as it seems he's got ssh working on his S15? https://www.youtube.com/watch?v=UJv6rrUNU60.

I contacted some guys some that say they could do it but in the end nothing!
Wanted money in bitcoin a huge quantity and the ones that asked little money and said could do it remotly never have done it, even with my agree to pay it.

Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

So, can you post some video/pictures of all the process like diagram connections etc ?
Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
August 24, 2019, 07:22:15 PM
Last edit: August 26, 2019, 01:37:41 AM by frodocooper
 #35

Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

Well there is always that... I guess we all have to have a tester around just in case, tho i'm not sure how that would work with the usb variant the plain serial version is easy to test. Of course there is always the "dumb" serial to usb adapter which can be separate from a "dumb" serial to lan port.

Glad it worked for you in the end.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
bommachine
Newbie
*
Offline Offline

Activity: 5
Merit: 0


View Profile
August 29, 2019, 01:28:44 PM
Last edit: August 30, 2019, 04:20:39 AM by frodocooper
 #36

Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
September 02, 2019, 02:49:14 AM
Last edit: September 03, 2019, 02:14:23 AM by frodocooper
Merited by frodocooper (3)
 #37

Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.

Hi, how can we know the lighttpd version?



New idea to hack S15 and S17 machines...

It seems Bitmain uses a MD5 check to watch if file is OK like you can see in this example of runme.sh script:

Code:
if [ -e uramdisk.image.gz ]; then
    md5=`md5sum uramdisk.image.gz | awk {'print $1'}`
    md5_r=`cat md5_info`
    if [ $md5 == $md5_r ];then
flash_erase /dev/mtd1 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd1 uramdisk.image.gz >/dev/null 2>&1
if [ -e /dev/mtd4 ]; then
flash_erase /dev/mtd4 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd4 uramdisk.image.gz >/dev/null 2>&1
fi

After calculates the md5sums in the file "fileinfo":

Code:
131e5abc56aedc8bb2aa5e32747ea0bd  md5_info
5775f1b099dbaf88bb0a09e95123efda  uramdisk.image.gz
8a9d791d493c3cb249a3aba8118f1b7d  BOOT.bin
56dc397d0ffbe15164998bc38366e69e  runme.sh

They made a new file "fileinfo.sig" with signature of them inside based in that md5sum.

So after some investigation i discovered this in wikipedia:

The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".

So, if we change a runme.sh to run commands to open ssh like creating a dropbear file with ssh key ( its seems dropbear auto-activates if have some ssh key in config folder) and we could generate the same md5sum = 56dc397d0ffbe15164998bc38366e69e we can brake this easily !

Any ideas about how to do that hack in MD5? With this solution we can generate one image for everybody installs.
thierry4wd
Sr. Member
****
Offline Offline

Activity: 392
Merit: 277



View Profile WWW
September 16, 2019, 08:55:28 PM
Last edit: September 17, 2019, 12:59:40 AM by frodocooper
 #38

Hi , i try this methode, but not work ...

I connected my FTDI by "RX" + "TX" + "GND" on FTDI and Antminer controler (for test is S9 controler)
I powered my controler, connected my ftdi to computer, and run coolterm (on win XP)
On coolterm, the command send with success, the green led on FDTI flash on send command, but no back :s

all help are welcome !!!  Grin

http://www.noelshack.com/2019-37-6-1568478681-20190914-182318.jpg



So ! now connect as success !

on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !

For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)



I work for this ... is good idea working hand in hand  Tongue ? why not ?

I test to send command, but absolut no reponce ... because my miner is not operational ? not fan and not hashboard, the booting is not complet ? i don't know ... just try it soon Wink

Artemis3
Legendary
*
Offline Offline

Activity: 1134
Merit: 1117


Improve EFFICIENCY


View Profile WWW
September 16, 2019, 10:04:27 PM
 #39

So ! now connect as success !

on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !

For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)

Yes its "optional", but use it...

And yes, given two identical serial ports, to connect to each other you have to swap tx and rx, this used to be called "null modem". AND, until gigabit LAN, to connect two nics together you were supposed to do the same thing with the two pairs it uses 12, 36, also called "crossover".

(The thing with gigabit lan is that it auto swaps the pairs, and in addition 45 and 78 are also used and swapped when needed, and it even corrects mistakes).

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Slush Pool
thierry4wd
Sr. Member
****
Offline Offline

Activity: 392
Merit: 277



View Profile WWW
September 19, 2019, 03:32:18 PM
 #40

Update , Weldone ! SSH Run again on latest firmware !

The Fubly tuto is good !!! but missing litle information  Grin  no help for me so just search it by yourself  Grin

kasner
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
October 24, 2019, 12:37:36 PM
Last edit: October 25, 2019, 12:40:25 AM by frodocooper
 #41

Ive connected to S15 ok. But SSH service doesn't starts after reboot. If i run it from command line service starts fine.

Code:
/usr/sbin/dropbear -r /config/dropbear_rsa_host_key -p 22

How to fix that ?

TNX
Kasner
fubly
Hero Member
*****
Offline Offline

Activity: 557
Merit: 517


Trustless IceColdWallet


View Profile WWW
October 24, 2019, 01:24:18 PM
 #42

next hint:
"cam"  Grin

each time you send a transaction don't forget to use a new address, each time you receive one also!
kasner
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
October 24, 2019, 01:39:46 PM
 #43

next hint:
"cam"  Grin

??
Hache
Newbie
*
Offline Offline

Activity: 29
Merit: 3


View Profile
November 30, 2019, 04:44:59 PM
Last edit: November 30, 2019, 05:12:48 PM by Hache
Merited by frodocooper (3)
 #44

hi everyone!

I managed to log into the miner over serial. After that I created the RSA Key without the -y argument, because the file didn't previously exist. That created the dropbear_rsa_host_key succesfully. However upon reboot I am unable to SSH into the miner. I can SSH into the miner if I do
Code:
dropbear -r /config/dropbear_rsa_host_key -p 22
and then ssh into the miner from another computer in the network.

I started investigating and found /etc/default/dropbear and /config/dropbear. Those two files contain only a line "NO_START=1". I changed both to "NO_START=0" but it didn't work. After restarting the miner, both files will show "NO_START=1" again.

I cannot for the life of me find out what other process or init script is chaging those files and making the dropbear not start appropriately.

Can someone give me a hand, please?

EDIT: I tried editing /etc/init.d/bitmainer_setup.sh and comment out all the lines referring to dropbear and the config files. Doesn't work. After reboot it gets back to the original state.

I cannot find the init script that makes that file go back to its original state disabling dropbear init script.
dctech81
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
December 19, 2019, 03:15:02 PM
 #45

So, all the exploits I knew of are now patched in the latest firmware. So I'm trying the FTDI method. Can I get some help here?

HACK FIRMWARE and SSH and EXPLOIT for free



I got the exact FTDI board linked here. Using an S9 for testing, but not getting any data over serial. I've tried different computers (2x Windows 10, 1x Linux running inside a VM) and different USB cables, no dice so far.

Could be my FTDI board is bad, but I want to make sure I have the setup correct:

- Does the square hole on the board correspond to DTR or GND? When I connect DTR, the control board lights up even with PSU off.
- Are we supposed to use 3.3v or 5v? 3.3v does nothing for me, but the above works on 5v.

Any suggestions?
cfbtcman
Member
**
Offline Offline

Activity: 238
Merit: 14


View Profile
January 14, 2020, 12:19:59 AM
Last edit: January 14, 2020, 01:11:34 AM by frodocooper
 #46

What about exploit file?

It seems the 1st exploit was just a file that explored a bug by http access, someone sent me the file, but gives me some error testing, someone can tryit using a linux computer that can run anything even in the case could have virus?

This is supposed to work just running the command and giving the IP of machine we want to activate SSH as parameter, i dont have success because there is some error, but other guys i passed this they get another errors, this is supposed to run in Ubuntu, someone can try in a closed environment for the possibility of virus and give feedback?

https://gofile.io/?c=Xblcbq
jnctky
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
January 30, 2020, 04:35:32 PM
 #47

Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.

Cool!
Did you unlocked S17 with 0524 firmware or  with latest firmware?
Could you please let us know which security issue of lighttpd is being used? Do u have the exploit or cve number?
Thank you in advance!!!
cdmkultra
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
February 04, 2020, 06:23:52 AM
Last edit: February 08, 2020, 02:29:56 AM by frodocooper
 #48

thank you for the post and the help here. I followed these directions below and had a little trouble but ultimately was able to get "almost" all of it working for an S9.

I am using the following Firmware

Code:
Miner Type                              Antminer S9
Hostname                             antMiner
Model                                     GNU/Linux
Hardware Version                     30.0.1.3
Kernel Version                             Linux 3.14.0-xilinx-ga36f3af-dirty #90 SMP PREEMPT Thu Jun 20 15:01:47 CST 2019
File System Version             Tue Jul 30 20:37:39 CST 2019
Logic Version                             V1.3.56
BMminer Version                     2.0.0

Problems I noticed:

It appears that Bitmain has taken some precautions to confuse us a bit more

- Changed the ownership of many directories away from root
- Changed Read,Write,Execution settings for certain import files (including some dropbear related files)

Results:

After giving ownership back to root and allowing those particular dropbear files to be executed, I was able to get the RSA Key created!! SUCCESS KIND OF ;(

However, dropbear will not start and I cannot figure out why. So I was hoping that someone could give me a couple commands to try and I will post the results back here.



*****UPDATE*****

Finally I was able to get this to work.

Please DM me if you would like the solution. Not charging anything, its just better this way.
dms1984
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
March 11, 2020, 02:34:13 PM
Last edit: March 18, 2020, 02:00:32 PM by dms1984
 #49

*****UPDATE*****

Finally I was able to get this to work.

Please DM me if you would like the solution. Not charging anything, its just better this way.

cdmkultra, mate I would love to get the solution you've mentioned but you have recieving messages from "Newbie" rank blocked so I can't contact you via PM. Please set it differently (it has to be done explicitly with checking "Allow newbies to send you PMs." option in the Personal Message Options in your Profile settings. Or contact me via PM.
fubly
Hero Member
*****
Offline Offline

Activity: 557
Merit: 517


Trustless IceColdWallet


View Profile WWW
January 07, 2021, 11:23:15 PM
Last edit: January 10, 2021, 11:29:51 PM by frodocooper
 #50

File: /www/pages/cgi-bin/activate_ssh_again.cgi

Code:
#!/bin/sh
##############################################################################
 #category "BitCain5.com for Bitmain Antminer's "
 #package "BitCain5.com custom Firmware"
 #author Miguel Padilla <miguel.padilla@zwilla.de>
 #copyright (c) 2013 - 2021 Miguel Padilla
 #link "https://shop.zwilla.de"
 #github "https://github/zwilla"
 #twitter "https://twitter.com/mytokenwallet"
 #license: closed
##############################################################################

set -x

fuser -vk 22/tcp | sh /etc/init.d/network.sh | /etc/init.d/avahi restart > /dev/null | sh /etc/init.d/dropbear start | /usr/sbin/lighttpd -f /etc/lighttpd.conf

cat <<-EOH
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<meta http-equiv="refresh" content="3; url=minerStatus.cgi">
 <script type="text/javascript">
window.location.href = "minerStatus.cgi"
</script>
<title>SSH is activated!</title>
</head>
<H1>Enable SSH</H1>
<body>
<p>If you are not redirected automatically, follow the</p>
<a href='minerStatus.cgi'>link</a>
</body>
</html>
EOH
exec 2>&1
exit 0;

each time you send a transaction don't forget to use a new address, each time you receive one also!
Ryanyehan23
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
April 27, 2021, 07:34:56 PM
 #51

hello pls help..my S9 signature lock 2019, then have missing chip. beside sd card slot..I buy USB to uArt from amazon from this link. I try connect my s9 board from usb s9 board Rx to Tx, Tx to Rx,then Ground, I used cool term. i follow the instruction above, then I power my board I got a reading..continuously...no stopping I cant log in cause continues reading...or receiving from my board..pls help to unlock my s9 i try everything from GUI Sd card but nothing happen I thought the USB to TTL is working here..https://www.amazon.com/gp/product/B00LZVEQEY/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
Pages: 1 2 3 [All]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!