Antminer Hack S9 /S15 / S17 / Sx aso. SSH and so on for free

[cfbtcman]

Or you can do it without buying any tools: https://asicseer.com/page/security-restoring-ssh

We released it for free. If you like the tool, try ASICseer itself

This is just for S9, we are talking about S15/S17, solutions for that?

You can do all necessary configurations, get kernel logs, do reboots etc. all through the cgi pages on the web portal. It is actually much faster than SSH on these miners because they always sit for a few seconds before you can connect via ssh.

Large mining operations can easily have someone to tweak their scripts and how they do configurations. However, unexperienced and smaller users who are clueless could easily get an ssh virus if any infected miners or control boards are put on the same network.

Tim, in a S15 you can easily overclocking it to do 33TH and oficially it just do 28TH its a big difference and Bitmain dont allow people to do it with web interface.

Why? Have you never done serial? [...]

I have done serial in past, but new computers uses USB, i have a USB to RS232 adapter and worked always fine in things i need, but this time i have one USB to RJ45 and program detects well but dont do nothing!

Do you have one working? I can pay for one that works, you can post a video doing it and showing it?

[1715051812]

1715051812

[1715051812]

1715051812

[1715051812]

1715051812

[1715051812]

1715051812

[1715051812]

1715051812

[supersonic]

Power the controller, no need for hashboards.
This is a serial link, old fashioned method you may not be familiar with depending on your age, so use a serial terminal, not ssh client; forget putty.

If you do it correctly you should get a prompt when you plug the cable and hit enter; probably login and password.

It works either through putty or cooltherm, problem i had was when prompted for login, i couldnt type anything, tho led light was blinking on controller when i tried.

[Artemis3]

That sounds like your terminal has the wrong echo configuration. I am not exactly sure how good something like putty is for serial communications as i have never ever tried it for that. Anyway whatever terminal you use, try to find out how to change the echo configuration so it shows the characters you are sending instead of waiting for remote to send them back.

[cfbtcman]

Artemis, this is a post just to try to make Bitmain thinks there is solution?

I ask this because the only guys that say they can open SSH they ask a lot of money in bitcoin and they say just work with >100 units and they dont give solutions for free!

In this conditions i have the solution too, i can pass my BTC address to anybody that wants to pay!!!!

Here we have ppl saying the pinout of FTDI needs to be connected to RJ45 port?!!!!!! I never saw that in all my life!

I spoke with some guys that say there is special points in board to make the connections, here nobody prints pictures of a scheme or a link to youtube, so, this is real or just another myth?

Have you already tried and worked or have any other guy here tried and worked that can post a real scheme with real pictures or youtube video?

P.S,- There is some guys that are trying since the beginning of the year to get funds in bitcoin to pay to White Rabbit post solution that is supposed to be the creator of exploit and they still trying to collect more money, so for me this seems just a fake, can someone prove i am wrong?

[bommachine]

Has anyone tried the instructions in the following link?

https://forum.hiveos.farm/t/antminer-s17-t17-support/12415
It’s based on a lighthttpd exploit on firmware version 0527 which is longer available to download.

If anyone has this firmware could they share with us so we can test.

Another method I’m going to try is to change the firmware myself and then reupload, but not sure that will work.

[fubly]

New hint:
this exploit will not work, wrong parameters in curl, will only work on already opened firmware.

There is no create_log_backup.cgi, just on very old ones create_conf_backup.cgi. So it's the wrong CGI file to inject the code!
Good luck, and note nothing is for free.

[bommachine]

Cool I’ve got copies of the old firmware so I’ll test. Once I know the version of lighthttpd it will be quite easy to find the appropriate exploit if it does exist.

[Artemis3]

Artemis, this is a post just to try to make Bitmain thinks there is solution?

If i were you, i would use the sdcard method and be done with it. Don't ask me about the newer units as i haven't touched one (yet).

[DrHyed]

Ive been tryng to downgrade the firmwear my T9+ for about a week and Im having no luck. The board will not take a sd card flash no matter what I try, I am not technical enough to truly dig in to the firmware (though I did try for about 1.5 days...) so I bought a ftdi but Im not having any luck with it either. I have cooltherm and the ft232 drivers installed and the pin outs connected correctly to the t9+ board and ftdi but I am not prompted to log in when I open cooltherm or plug the ftdi into the computer or press the connect button inside cooltherm. I have the baud rate at 115000, the miner board is powered up, what am I missing? How do I make the ftdi and miner board talk? Im assuming once they are communicating I can modify the bin file (or whatever its called specifically) via cooltherm and then upgrade/downgrade out of the ssh version of the firmwear thats on my board at the moment? Sorry for all the questions, ill get this newb knocked off me soon I promise!

Thank You
Jay

[BitMaxz]

Ive been tryng to downgrade the firmwear my T9+ for about a week and Im having no luck. The board will not take a sd card flash no matter what I try, I am not technical enough to truly dig in to the firmware (though I did try for about 1.5 days...) so I bought a ftdi but Im not having any luck with it either. I have cooltherm and the ft232 drivers installed and the pin outs connected correctly to the t9+ board and ftdi but I am not prompted to log in when I open cooltherm or plug the ftdi into the computer or press the connect button inside cooltherm. I have the baud rate at 115000, the miner board is powered up, what am I missing? How do I make the ftdi and miner board talk? Im assuming once they are communicating I can modify the bin file (or whatever its called specifically) via cooltherm and then upgrade/downgrade out of the ssh version of the firmwear thats on my board at the moment? Sorry for all the questions, ill get this newb knocked off me soon I promise!

How about the jumper? Did you know that you need to move the jp4 jumper before you flash the miner.
Check this guide on how to flash the antminer t9+ with SD card from here "T9+ Control Board Program Recovery"

About FTDI I think this tool is only for old ASIC miner.
Check this thread from here https://bitcointalk.org/index.php?topic=831601.0

[cfbtcman]

If i were you, i would use the sdcard method and be done with it. Don't ask me about the newer units as i haven't touched one (yet).

I think there is no solution yet to boot with SDCARD in a S15 machine.

New hint:
this exploit will not work, wrong parameters in curl, will only work on already opened firmware.

There is no create_log_backup.cgi, just on very old ones create_conf_backup.cgi. So it's the wrong CGI file to inject the code!
Good luck, and note nothing is for free.

If nothing is for free these post makes no sense!
There is many things free in this life like air, sunlight, rain...

Ok, even if we need to pay it, someone have the contact of someone that can unlock machines remotly for a fair price?

If everybody could unlock and overclock machines the hashrate would grow up, without hashrate going up, bitcoin cant go up, all we want bitcoin going up, so teoretically the guys that have the solution could post the solution and they could earn in bitcoin valorization, the problem is that guys are very smart in somethings but not so smart in another.

If i had the solution i would post for everybody.

[supersonic]

That sounds like your terminal has the wrong echo configuration. I am not exactly sure how good something like putty is for serial communications as i have never ever tried it for that. Anyway whatever terminal you use, try to find out how to change the echo configuration so it shows the characters you are sending instead of waiting for remote to send them back.

Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

[tim-bc]

Tim, in a S15 you can easily overclocking it to do 33TH and oficially it just do 28TH its a big difference and Bitmain dont allow people to do it with web interface.

I agree that's a huge issue.. unfortunately there is no S15 firmware that allows for ssh, we should at least have the choice to use ssh if needed.

I don't have any S15 yet, might want to contact Alex as it seems he's got ssh working on his S15? https://www.youtube.com/watch?v=UJv6rrUNU60.

[cfbtcman]

I agree that's a huge issue.. unfortunately there is no S15 firmware that allows for ssh, we should at least have the choice to use ssh if needed.

I don't have any S15 yet, might want to contact Alex as it seems he's got ssh working on his S15? https://www.youtube.com/watch?v=UJv6rrUNU60.

I contacted some guys some that say they could do it but in the end nothing!
Wanted money in bitcoin a huge quantity and the ones that asked little money and said could do it remotly never have done it, even with my agree to pay it.

Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

So, can you post some video/pictures of all the process like diagram connections etc ?

[Artemis3]

Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

Well there is always that... I guess we all have to have a tester around just in case, tho i'm not sure how that would work with the usb variant the plain serial version is easy to test. Of course there is always the "dumb" serial to usb adapter which can be separate from a "dumb" serial to lan port.

Glad it worked for you in the end.

[bommachine]

Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.

[cfbtcman]

Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.

Hi, how can we know the lighttpd version?


New idea to hack S15 and S17 machines...

It seems Bitmain uses a MD5 check to watch if file is OK like you can see in this example of runme.sh script:

Code:

if [ -e uramdisk.image.gz ]; then
    md5=`md5sum uramdisk.image.gz | awk {'print $1'}`
    md5_r=`cat md5_info`
    if [ $md5 == $md5_r ];then
		flash_erase /dev/mtd1 0x0 0x100 >/dev/null 2>&1
		nandwrite -p -s 0x0 /dev/mtd1 uramdisk.image.gz >/dev/null 2>&1
		if [ -e /dev/mtd4 ]; then
			flash_erase /dev/mtd4 0x0 0x100 >/dev/null 2>&1
			nandwrite -p -s 0x0 /dev/mtd4 uramdisk.image.gz >/dev/null 2>&1
		fi

After calculates the md5sums in the file "fileinfo":

Code:

131e5abc56aedc8bb2aa5e32747ea0bd  md5_info
5775f1b099dbaf88bb0a09e95123efda  uramdisk.image.gz
8a9d791d493c3cb249a3aba8118f1b7d  BOOT.bin
56dc397d0ffbe15164998bc38366e69e  runme.sh

They made a new file "fileinfo.sig" with signature of them inside based in that md5sum.

So after some investigation i discovered this in wikipedia:

The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".

So, if we change a runme.sh to run commands to open ssh like creating a dropbear file with ssh key ( its seems dropbear auto-activates if have some ssh key in config folder) and we could generate the same md5sum = 56dc397d0ffbe15164998bc38366e69e we can brake this easily !

Any ideas about how to do that hack in MD5? With this solution we can generate one image for everybody installs.

[thierry4wd]

Hi , i try this methode, but not work ...

I connected my FTDI by "RX" + "TX" + "GND" on FTDI and Antminer controler (for test is S9 controler)
I powered my controler, connected my ftdi to computer, and run coolterm (on win XP)
On coolterm, the command send with success, the green led on FDTI flash on send command, but no back :s

all help are welcome !!! 

http://www.noelshack.com/2019-37-6-1568478681-20190914-182318.jpg

So ! now connect as success !

on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !

For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)



I work for this ... is good idea working hand in hand   ? why not ?

I test to send command, but absolut no reponce ... because my miner is not operational ? not fan and not hashboard, the booting is not complet ? i don't know ... just try it soon

[Artemis3]

So ! now connect as success !

on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !

For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)

Yes its "optional", but use it...

And yes, given two identical serial ports, to connect to each other you have to swap tx and rx, this used to be called "null modem". AND, until gigabit LAN, to connect two nics together you were supposed to do the same thing with the two pairs it uses 12, 36, also called "crossover".

(The thing with gigabit lan is that it auto swaps the pairs, and in addition 45 and 78 are also used and swapped when needed, and it even corrects mistakes).

[thierry4wd]

Update , Weldone ! SSH Run again on latest firmware !

The Fubly tuto is good !!! but missing litle information    no help for me so just search it by yourself