Topic: Antminer Hack S9 /S15 / S17 / Sx aso. SSH and so on for free (Read 3298 times)
19 series containe Efuse
Does this still work? Will it work on a S19J Pro?
Thanks
Thanks
hello pls help..my S9 signature lock 2019, then have missing chip. beside sd card slot..I buy USB to uArt from amazon from this link. I try connect my s9 board from usb s9 board Rx to Tx, Tx to Rx,then Ground, I used cool term. i follow the instruction above, then I power my board I got a reading..continuously...no stopping I cant log in cause continues reading...or receiving from my board..pls help to unlock my s9 i try everything from GUI Sd card but nothing happen I thought the USB to TTL is working here..https://www.amazon.com/gp/product/B00LZVEQEY/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1
File: /www/pages/cgi-bin/activate_ssh_again.cgi
Code:
#!/bin/sh
##############################################################################
#category "BitCain5.com for Bitmain Antminer's "
#package "BitCain5.com custom Firmware"
#author Miguel Padilla
#copyright (c) 2013 - 2021 Miguel Padilla
#link "https://shop.zwilla.de"
#github "https://github/zwilla"
#twitter "https://twitter.com/mytokenwallet"
#license: closed
##############################################################################
set -x
fuser -vk 22/tcp | sh /etc/init.d/network.sh | /etc/init.d/avahi restart > /dev/null | sh /etc/init.d/dropbear start | /usr/sbin/lighttpd -f /etc/lighttpd.conf
cat <<-EOH
SSH is activated!
link
EOH
exec 2>&1
exit 0;
##############################################################################
#category "BitCain5.com for Bitmain Antminer's "
#package "BitCain5.com custom Firmware"
#author Miguel Padilla
#copyright (c) 2013 - 2021 Miguel Padilla
#link "https://shop.zwilla.de"
#github "https://github/zwilla"
#twitter "https://twitter.com/mytokenwallet"
#license: closed
##############################################################################
set -x
fuser -vk 22/tcp | sh /etc/init.d/network.sh | /etc/init.d/avahi restart > /dev/null | sh /etc/init.d/dropbear start | /usr/sbin/lighttpd -f /etc/lighttpd.conf
cat <<-EOH
Enable SSH
If you are not redirected automatically, follow the
link
EOH
exec 2>&1
exit 0;
*****UPDATE*****
Finally I was able to get this to work.
Please DM me if you would like the solution. Not charging anything, its just better this way.
Finally I was able to get this to work.
Please DM me if you would like the solution. Not charging anything, its just better this way.
cdmkultra, mate I would love to get the solution you've mentioned but you have recieving messages from "Newbie" rank blocked so I can't contact you via PM. Please set it differently (it has to be done explicitly with checking "Allow newbies to send you PMs." option in the Personal Message Options in your Profile settings. Or contact me via PM.
thank you for the post and the help here. I followed these directions below and had a little trouble but ultimately was able to get "almost" all of it working for an S9.
I am using the following Firmware
Problems I noticed:
It appears that Bitmain has taken some precautions to confuse us a bit more
- Changed the ownership of many directories away from root
- Changed Read,Write,Execution settings for certain import files (including some dropbear related files)
Results:
After giving ownership back to root and allowing those particular dropbear files to be executed, I was able to get the RSA Key created!! SUCCESS KIND OF ;(
However, dropbear will not start and I cannot figure out why. So I was hoping that someone could give me a couple commands to try and I will post the results back here.
*****UPDATE*****
Finally I was able to get this to work.
Please DM me if you would like the solution. Not charging anything, its just better this way.
I am using the following Firmware
Code:
Miner Type Antminer S9
Hostname antMiner
Model GNU/Linux
Hardware Version 30.0.1.3
Kernel Version Linux 3.14.0-xilinx-ga36f3af-dirty #90 SMP PREEMPT Thu Jun 20 15:01:47 CST 2019
File System Version Tue Jul 30 20:37:39 CST 2019
Logic Version V1.3.56
BMminer Version 2.0.0
Hostname antMiner
Model GNU/Linux
Hardware Version 30.0.1.3
Kernel Version Linux 3.14.0-xilinx-ga36f3af-dirty #90 SMP PREEMPT Thu Jun 20 15:01:47 CST 2019
File System Version Tue Jul 30 20:37:39 CST 2019
Logic Version V1.3.56
BMminer Version 2.0.0
Problems I noticed:
It appears that Bitmain has taken some precautions to confuse us a bit more
- Changed the ownership of many directories away from root
- Changed Read,Write,Execution settings for certain import files (including some dropbear related files)
Results:
After giving ownership back to root and allowing those particular dropbear files to be executed, I was able to get the RSA Key created!! SUCCESS KIND OF ;(
However, dropbear will not start and I cannot figure out why. So I was hoping that someone could give me a couple commands to try and I will post the results back here.
*****UPDATE*****
Finally I was able to get this to work.
Please DM me if you would like the solution. Not charging anything, its just better this way.
Hi all,
I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.
In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.
In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
Cool!
Did you unlocked S17 with 0524 firmware or with latest firmware?
Could you please let us know which security issue of lighttpd is being used? Do u have the exploit or cve number?
Thank you in advance!!!
What about exploit file?
It seems the 1st exploit was just a file that explored a bug by http access, someone sent me the file, but gives me some error testing, someone can tryit using a linux computer that can run anything even in the case could have virus?
This is supposed to work just running the command and giving the IP of machine we want to activate SSH as parameter, i dont have success because there is some error, but other guys i passed this they get another errors, this is supposed to run in Ubuntu, someone can try in a closed environment for the possibility of virus and give feedback?
https://gofile.io/?c=Xblcbq
It seems the 1st exploit was just a file that explored a bug by http access, someone sent me the file, but gives me some error testing, someone can tryit using a linux computer that can run anything even in the case could have virus?
This is supposed to work just running the command and giving the IP of machine we want to activate SSH as parameter, i dont have success because there is some error, but other guys i passed this they get another errors, this is supposed to run in Ubuntu, someone can try in a closed environment for the possibility of virus and give feedback?
https://gofile.io/?c=Xblcbq
So, all the exploits I knew of are now patched in the latest firmware. So I'm trying the FTDI method. Can I get some help here?
I got the exact FTDI board linked here. Using an S9 for testing, but not getting any data over serial. I've tried different computers (2x Windows 10, 1x Linux running inside a VM) and different USB cables, no dice so far.
Could be my FTDI board is bad, but I want to make sure I have the setup correct:
- Does the square hole on the board correspond to DTR or GND? When I connect DTR, the control board lights up even with PSU off.
- Are we supposed to use 3.3v or 5v? 3.3v does nothing for me, but the above works on 5v.
Any suggestions?
HACK FIRMWARE and SSH and EXPLOIT for free
- buy this ftdi /2EUBb3P]https://[Suspicious link removed]/2EUBb3P
- install cooltherm http://freeware.the-meiers.org/#CoolTerm Mac/Win/Linux/Raspi (DONATE)
- connect to any antminer board
- Connect ftdi to usb
- start CoolTerm
- Set 115000
- power on your miner
- login as usual: root admin
I got the exact FTDI board linked here. Using an S9 for testing, but not getting any data over serial. I've tried different computers (2x Windows 10, 1x Linux running inside a VM) and different USB cables, no dice so far.
Could be my FTDI board is bad, but I want to make sure I have the setup correct:
- Does the square hole on the board correspond to DTR or GND? When I connect DTR, the control board lights up even with PSU off.
- Are we supposed to use 3.3v or 5v? 3.3v does nothing for me, but the above works on 5v.
Any suggestions?
hi everyone!
I managed to log into the miner over serial. After that I created the RSA Key without the -y argument, because the file didn't previously exist. That created the dropbear_rsa_host_key succesfully. However upon reboot I am unable to SSH into the miner. I can SSH into the miner if I do
I started investigating and found /etc/default/dropbear and /config/dropbear. Those two files contain only a line "NO_START=1". I changed both to "NO_START=0" but it didn't work. After restarting the miner, both files will show "NO_START=1" again.
I cannot for the life of me find out what other process or init script is chaging those files and making the dropbear not start appropriately.
Can someone give me a hand, please?
EDIT: I tried editing /etc/init.d/bitmainer_setup.sh and comment out all the lines referring to dropbear and the config files. Doesn't work. After reboot it gets back to the original state.
I cannot find the init script that makes that file go back to its original state disabling dropbear init script.
I managed to log into the miner over serial. After that I created the RSA Key without the -y argument, because the file didn't previously exist. That created the dropbear_rsa_host_key succesfully. However upon reboot I am unable to SSH into the miner. I can SSH into the miner if I do
Code:
dropbear -r /config/dropbear_rsa_host_key -p 22
and then ssh into the miner from another computer in the network.I started investigating and found /etc/default/dropbear and /config/dropbear. Those two files contain only a line "NO_START=1". I changed both to "NO_START=0" but it didn't work. After restarting the miner, both files will show "NO_START=1" again.
I cannot for the life of me find out what other process or init script is chaging those files and making the dropbear not start appropriately.
Can someone give me a hand, please?
EDIT: I tried editing /etc/init.d/bitmainer_setup.sh and comment out all the lines referring to dropbear and the config files. Doesn't work. After reboot it gets back to the original state.
I cannot find the init script that makes that file go back to its original state disabling dropbear init script.
next hint:
"cam"
"cam"
Ive connected to S15 ok. But SSH service doesn't starts after reboot. If i run it from command line service starts fine.
How to fix that ?
TNX
Kasner
Code:
/usr/sbin/dropbear -r /config/dropbear_rsa_host_key -p 22
How to fix that ?
TNX
Kasner
September 19, 2019, 11:32:18 AM
Update , Weldone ! SSH Run again on latest firmware !
The Fubly tuto is good !!! but missing litle information no help for me so just search it by yourself
The Fubly tuto is good !!! but missing litle information
no help for me so just search it by yourself 
September 16, 2019, 06:04:27 PM
So ! now connect as success !
on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !
For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)
on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !
For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)
Yes its "optional", but use it...
And yes, given two identical serial ports, to connect to each other you have to swap tx and rx, this used to be called "null modem". AND, until gigabit LAN, to connect two nics together you were supposed to do the same thing with the two pairs it uses 12, 36, also called "crossover".
(The thing with gigabit lan is that it auto swaps the pairs, and in addition 45 and 78 are also used and swapped when needed, and it even corrects mistakes).
September 16, 2019, 04:55:28 PM
Hi , i try this methode, but not work ...
I connected my FTDI by "RX" + "TX" + "GND" on FTDI and Antminer controler (for test is S9 controler)
I powered my controler, connected my ftdi to computer, and run coolterm (on win XP)
On coolterm, the command send with success, the green led on FDTI flash on send command, but no back :s
all help are welcome !!!
http://www.noelshack.com/2019-37-6-1568478681-20190914-182318.jpg
I connected my FTDI by "RX" + "TX" + "GND" on FTDI and Antminer controler (for test is S9 controler)
I powered my controler, connected my ftdi to computer, and run coolterm (on win XP)
On coolterm, the command send with success, the green led on FDTI flash on send command, but no back :s
all help are welcome !!!
http://www.noelshack.com/2019-37-6-1568478681-20190914-182318.jpg
So ! now connect as success !
on controler booting, automatique send me a boot sequence (same page to kernel log on web page miner) , not need authentificate, is auto connect on serial !
For wire diagram, is good, but just Swap "RX" and "TX" ... ("GND" is optional ? working whitout... i don't know what)
I work for this ... is good idea working hand in hand
? why not ?I test to send command, but absolut no reponce ... because my miner is not operational ? not fan and not hashboard, the booting is not complet ? i don't know ... just try it soon
September 01, 2019, 10:49:14 PM
Hi all,
I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.
In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.
In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
Hi, how can we know the lighttpd version?
New idea to hack S15 and S17 machines...
It seems Bitmain uses a MD5 check to watch if file is OK like you can see in this example of runme.sh script:
Code:
if [ -e uramdisk.image.gz ]; then
md5=`md5sum uramdisk.image.gz | awk {'print $1'}`
md5_r=`cat md5_info`
if [ $md5 == $md5_r ];then
flash_erase /dev/mtd1 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd1 uramdisk.image.gz >/dev/null 2>&1
if [ -e /dev/mtd4 ]; then
flash_erase /dev/mtd4 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd4 uramdisk.image.gz >/dev/null 2>&1
fi
md5=`md5sum uramdisk.image.gz | awk {'print $1'}`
md5_r=`cat md5_info`
if [ $md5 == $md5_r ];then
flash_erase /dev/mtd1 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd1 uramdisk.image.gz >/dev/null 2>&1
if [ -e /dev/mtd4 ]; then
flash_erase /dev/mtd4 0x0 0x100 >/dev/null 2>&1
nandwrite -p -s 0x0 /dev/mtd4 uramdisk.image.gz >/dev/null 2>&1
fi
After calculates the md5sums in the file "fileinfo":
Code:
131e5abc56aedc8bb2aa5e32747ea0bd md5_info
5775f1b099dbaf88bb0a09e95123efda uramdisk.image.gz
8a9d791d493c3cb249a3aba8118f1b7d BOOT.bin
56dc397d0ffbe15164998bc38366e69e runme.sh
5775f1b099dbaf88bb0a09e95123efda uramdisk.image.gz
8a9d791d493c3cb249a3aba8118f1b7d BOOT.bin
56dc397d0ffbe15164998bc38366e69e runme.sh
They made a new file "fileinfo.sig" with signature of them inside based in that md5sum.
So after some investigation i discovered this in wikipedia:
Quote from: https://en.wikipedia.org/wiki/MD5
The weaknesses of MD5 have been exploited in the field, most infamously by the Flame malware in 2012. The CMU Software Engineering Institute considers MD5 essentially "cryptographically broken and unsuitable for further use".
So, if we change a runme.sh to run commands to open ssh like creating a dropbear file with ssh key ( its seems dropbear auto-activates if have some ssh key in config folder) and we could generate the same md5sum = 56dc397d0ffbe15164998bc38366e69e we can brake this easily !
Any ideas about how to do that hack in MD5? With this solution we can generate one image for everybody installs.
Hi all,
I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.
In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
I managed to unlock a new S17 antimner to run SSH.
If you are running light http 14.3.2 it will work. If I get enough requests I will do a medium post to show how it's done.
In a nutshell the SSH service that ant miner has installed is called dropbear and is automatically re-activated if you manage to create a SSH key.
This version of light http allow you to create files directly on the system.
Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.
Well there is always that... I guess we all have to have a tester around just in case, tho i'm not sure how that would work with the usb variant the plain serial version is easy to test. Of course there is always the "dumb" serial to usb adapter which can be separate from a "dumb" serial to lan port.
Glad it worked for you in the end.
I agree that's a huge issue.. unfortunately there is no S15 firmware that allows for ssh, we should at least have the choice to use ssh if needed.
I don't have any S15 yet, might want to contact Alex as it seems he's got ssh working on his S15? https://www.youtube.com/watch?v=UJv6rrUNU60.
I don't have any S15 yet, might want to contact Alex as it seems he's got ssh working on his S15? https://www.youtube.com/watch?v=UJv6rrUNU60.
I contacted some guys some that say they could do it but in the end nothing!
Wanted money in bitcoin a huge quantity and the ones that asked little money and said could do it remotly never have done it, even with my agree to pay it.
Well, no wonder i couldnt do anything - my ftdi was broken. I got another and everything is working as intended.
So, can you post some video/pictures of all the process like diagram connections etc ?
Jump to: