Pages:
Author

Topic: Antminer Hack S9 /S15 / S17 / Sx aso. SSH and so on for free (Read 3383 times)

sr. member
Activity: 446
Merit: 347
19 series containe Efuse  Grin
newbie
Activity: 9
Merit: 0
Does this still work? Will it work on a S19J Pro?

Thanks Smiley
newbie
Activity: 1
Merit: 0
hello pls help..my S9 signature lock 2019, then have missing chip. beside sd card slot..I buy USB to uArt from amazon from this link. I try connect my s9 board from usb s9 board Rx to Tx, Tx to Rx,then Ground, I used cool term. i follow the instruction above, then I power my board I got a reading..continuously...no stopping I cant log in cause continues reading...or receiving from my board..pls help to unlock my s9 i try everything from GUI Sd card but nothing happen I thought the USB to TTL is working here..https://www.amazon.com/gp/product/B00LZVEQEY/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
hero member
Activity: 561
Merit: 521
Trustless IceColdWallet
File: /www/pages/cgi-bin/activate_ssh_again.cgi

Code:
#!/bin/sh
##############################################################################
 #category "BitCain5.com for Bitmain Antminer's "
 #package "BitCain5.com custom Firmware"
 #author Miguel Padilla
 #copyright (c) 2013 - 2021 Miguel Padilla
 #link "https://shop.zwilla.de"
 #github "https://github/zwilla"
 #twitter "https://twitter.com/mytokenwallet"
 #license: closed
##############################################################################

set -x

fuser -vk 22/tcp | sh /etc/init.d/network.sh | /etc/init.d/avahi restart > /dev/null | sh /etc/init.d/dropbear start | /usr/sbin/lighttpd -f /etc/lighttpd.conf

cat <<-EOH





 
SSH is activated!

Enable SSH



If you are not redirected automatically, follow the


link


EOH
exec 2>&1
exit 0;
newbie
Activity: 2
Merit: 0
*****UPDATE*****

Finally I was able to get this to work.

Please DM me if you would like the solution. Not charging anything, its just better this way.

cdmkultra, mate I would love to get the solution you've mentioned but you have recieving messages from "Newbie" rank blocked so I can't contact you via PM. Please set it differently (it has to be done explicitly with checking "Allow newbies to send you PMs." option in the Personal Message Options in your Profile settings. Or contact me via PM.
newbie
Activity: 10
Merit: 0
thank you for the post and the help here. I followed these directions below and had a little trouble but ultimately was able to get "almost" all of it working for an S9.

I am using the following Firmware

Code:
Miner Type                              Antminer S9
Hostname                             antMiner
Model                                     GNU/Linux
Hardware Version                     30.0.1.3
Kernel Version                             Linux 3.14.0-xilinx-ga36f3af-dirty #90 SMP PREEMPT Thu Jun 20 15:01:47 CST 2019
File System Version             Tue Jul 30 20:37:39 CST 2019
Logic Version                             V1.3.56
BMminer Version                     2.0.0

Problems I noticed:

It appears that Bitmain has taken some precautions to confuse us a bit more

- Changed the ownership of many directories away from root
- Changed Read,Write,Execution settings for certain import files (including some dropbear related files)

Results:

After giving ownership back to root and allowing those particular dropbear files to be executed, I was able to get the RSA Key created!! SUCCESS KIND OF ;(

However, dropbear will not start and I cannot figure out why. So I was hoping that someone could give me a couple commands to try and I will post the results back here.



*****UPDATE*****

Finally I was able to get this to work.

Please DM me if you would like the solution. Not charging anything, its just better this way.
newbie
Activity: 1
Merit: 0
Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.

Cool!
Did you unlocked S17 with 0524 firmware or  with latest firmware?
Could you please let us know which security issue of lighttpd is being used? Do u have the exploit or cve number?
Thank you in advance!!!
member
Activity: 264
Merit: 16
What about exploit file?

It seems the 1st exploit was just a file that explored a bug by http access, someone sent me the file, but gives me some error testing, someone can tryit using a linux computer that can run anything even in the case could have virus?

This is supposed to work just running the command and giving the IP of machine we want to activate SSH as parameter, i dont have success because there is some error, but other guys i passed this they get another errors, this is supposed to run in Ubuntu, someone can try in a closed environment for the possibility of virus and give feedback?

https://gofile.io/?c=Xblcbq
newbie
Activity: 1
Merit: 0
So, all the exploits I knew of are now patched in the latest firmware. So I'm trying the FTDI method. Can I get some help here?

HACK FIRMWARE and SSH and EXPLOIT for free



I got the exact FTDI board linked here. Using an S9 for testing, but not getting any data over serial. I've tried different computers (2x Windows 10, 1x Linux running inside a VM) and different USB cables, no dice so far.

Could be my FTDI board is bad, but I want to make sure I have the setup correct:

- Does the square hole on the board correspond to DTR or GND? When I connect DTR, the control board lights up even with PSU off.
- Are we supposed to use 3.3v or 5v? 3.3v does nothing for me, but the above works on 5v.

Any suggestions?
jr. member
Activity: 36
Merit: 5
CEO - Krater.io
hi everyone!

I managed to log into the miner over serial. After that I created the RSA Key without the -y argument, because the file didn't previously exist. That created the dropbear_rsa_host_key succesfully. However upon reboot I am unable to SSH into the miner. I can SSH into the miner if I do
Code:
dropbear -r /config/dropbear_rsa_host_key -p 22
and then ssh into the miner from another computer in the network.

I started investigating and found /etc/default/dropbear and /config/dropbear. Those two files contain only a line "NO_START=1". I changed both to "NO_START=0" but it didn't work. After restarting the miner, both files will show "NO_START=1" again.

I cannot for the life of me find out what other process or init script is chaging those files and making the dropbear not start appropriately.

Can someone give me a hand, please?

EDIT: I tried editing /etc/init.d/bitmainer_setup.sh and comment out all the lines referring to dropbear and the config files. Doesn't work. After reboot it gets back to the original state.

I cannot find the init script that makes that file go back to its original state disabling dropbear init script.
newbie
Activity: 4
Merit: 0
hero member
Activity: 561
Merit: 521
Trustless IceColdWallet
next hint:
"cam"  Grin
newbie
Activity: 4
Merit: 0
Ive connected to S15 ok. But SSH service doesn't starts after reboot. If i run it from command line service starts fine.

Code:
/usr/sbin/dropbear -r /config/dropbear_rsa_host_key -p 22

How to fix that ?

TNX
Kasner
sr. member
Activity: 446
Merit: 347
Update , Weldone ! SSH Run again on latest firmware !

The Fubly tuto is good !!! but missing litle information  Grin  no help for me so just search it by yourself  Grin
legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
So ! now connect as success !

on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !

For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)

Yes its "optional", but use it...

And yes, given two identical serial ports, to connect to each other you have to swap tx and rx, this used to be called "null modem". AND, until gigabit LAN, to connect two nics together you were supposed to do the same thing with the two pairs it uses 12, 36, also called "crossover".

(The thing with gigabit lan is that it auto swaps the pairs, and in addition 45 and 78 are also used and swapped when needed, and it even corrects mistakes).
sr. member
Activity: 446
Merit: 347
Hi , i try this methode, but not work ...

I connected my FTDI by "RX" + "TX" + "GND" on FTDI and Antminer controler (for test is S9 controler)
I powered my controler, connected my ftdi to computer, and run coolterm (on win XP)
On coolterm, the command send with success, the green led on FDTI flash on send command, but no back :s

all help are welcome !!!  Grin

http://www.noelshack.com/2019-37-6-1568478681-20190914-182318.jpg



So ! now connect as success !

on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !

For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)



I work for this ... is good idea working hand in hand  Tongue ? why not ?

I test to send command, but absolut no reponce ... because my miner is not operational ? not fan and not hashboard, the booting is not complet ? i don't know ... just try it soon Wink
member
Activity: 264
Merit: 16
Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.

Hi, how can we know the lighttpd version?



New idea to hack S15 and S17 machines...

It seems Bitmain uses a MD5 check to watch if file is OK like you can see in this example of runme.sh script:

Code:
if [ -e uramdisk.image.gz ]; then
    md5=`md5sum uramdisk.image.gz | awk {'print $1'}`
    md5_r=`cat md5_info`
    if [ $md5 == $md5_r ];then
flash_erase /dev/mtd1 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd1 uramdisk.image.gz >/dev/null 2>&1
if [ -e /dev/mtd4 ]; then
flash_erase /dev/mtd4 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd4 uramdisk.image.gz >/dev/null 2>&1
fi

After calculates the md5sums in the file "fileinfo":

Code:
131e5abc56aedc8bb2aa5e32747ea0bd  md5_info
5775f1b099dbaf88bb0a09e95123efda  uramdisk.image.gz
8a9d791d493c3cb249a3aba8118f1b7d  BOOT.bin
56dc397d0ffbe15164998bc38366e69e  runme.sh

They made a new file "fileinfo.sig" with signature of them inside based in that md5sum.

So after some investigation i discovered this in wikipedia:

The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".

So, if we change a runme.sh to run commands to open ssh like creating a dropbear file with ssh key ( its seems dropbear auto-activates if have some ssh key in config folder) and we could generate the same md5sum = 56dc397d0ffbe15164998bc38366e69e we can brake this easily !

Any ideas about how to do that hack in MD5? With this solution we can generate one image for everybody installs.
newbie
Activity: 5
Merit: 0
Hi all,

I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.

In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
legendary
Activity: 2030
Merit: 1569
CLEAN non GPL infringing code made in Rust lang
Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

Well there is always that... I guess we all have to have a tester around just in case, tho i'm not sure how that would work with the usb variant the plain serial version is easy to test. Of course there is always the "dumb" serial to usb adapter which can be separate from a "dumb" serial to lan port.

Glad it worked for you in the end.
member
Activity: 264
Merit: 16
I agree that's a huge issue.. unfortunately there is no S15 firmware that allows for ssh, we should at least have the choice to use ssh if needed.

I don't have any S15 yet, might want to contact Alex as it seems he's got ssh working on his S15? https://www.youtube.com/watch?v=UJv6rrUNU60.

I contacted some guys some that say they could do it but in the end nothing!
Wanted money in bitcoin a huge quantity and the ones that asked little money and said could do it remotly never have done it, even with my agree to pay it.

Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.

So, can you post some video/pictures of all the process like diagram connections etc ?
Pages:
Jump to: