Antbleed update — more than expected.

WhaleCalls
2 min readApr 29, 2017

--

Redditor “nothematrix” did some investigation in his equipment and found that even more calls backs are possibly to be made to Bitmain via “single-board-test” utility. The end result being to authorize a miner on whether to allow mining service to start or not, this time by a MAC address.

The probable use case for this utility to be included is to test the board quality before shipping but why make such a thing phone home first? . However, his was included without being mentioned anywhere in documentation ,Terms of Service or in the published source code .

We have confirmed the finding ourselves in an older Antminer s4 and Antminer s9 so its true and therefore worthy of being reported.

Update

BITMAIN has released the source as of 4/29/2017 here. Tt appears this utility also phone home to ensure that the miners are actually being repaired at a BITMAN factory.

These remote calls even being possible are spooking an already distrusting audience and client base. It would be wise for BITMAIN’s PR to release a public statement declaring any remaining call backs that might be possible and adjust their policy to list the source code of all binaries and utilities that ship with their products

Below is a paraphrase of his post at the time of writing

“””

To start , this binary is present in older firmwares too. They haven’t added anything new, there’s just more of this code lingering around in binaries we don’t have a source to inspect. They’d do best to release the source code of this as well and explain why there’s seemingly another instance of a backdoor on their miners.

I’ll note that there’s no source for single-board-test available on Github, it's a binary which is run on startup in the older firmware that appears to do things like pre-warming the chips before testing their clock performance.

Given the URI is “doauth.asp” it sort of suggests it’s more of the same remote shutdown than a statistics thing.

The procedure is doing the second HTTP request is named isAuthToRun, so this seems to be another backdoor. It appears to make the call to “bitmain.com” with details of the hash boards and the MAC address, and returns a yes or no if the device is allowed to mine or not.

try getauth on MAC=%02x%02x%02x%02x%02x%02x reqID=%02x%02x%02x%02x%02x%02xhttp://bindminers.bitmain.com:6060/minerauth/doauth.asp?minerMAC=%02x%02x%02x%02x%02x%02x&reqID=%02x%02x%02x%02x%02x%02xroot@antMiner:/usr/bin# ls -lh single-board-test
-rwxrwxrwx 1 root root 1.8M Dec 9 06:21 single-board-test
root@antMiner:/usr/bin# strings single-board-test | grep bitmain.com
http://bindminers.bitmain.com:6060/minerauth/postrate.asp?minerMAC=%02x%02x%02x%02x%02x%02x&hashrate=%d
http://bindminers.bitmain.com:6060/minerauth/doauth.asp?minerMAC=%02x%02x%02x%02x%02x%02x&reqID=%02x%02x%02x%02x%02x%02x
try getauth on MAC=%02x%02x%02x%02x%02x%02x reqID=%02x%02x%02x%02x%02x%02xhttp://bindminers.bitmain.com:6060/minerauth/doauth.asp?minerMAC=%02x%02x%02x%02x%02x%02x&reqID=%02x%02x%02x%02x%02x%02xroot@antMiner:/usr/bin# ls -lh single-board-test
-rwxrwxrwx 1 root root 1.8M Dec 9 06:21 single-board-test
root@antMiner:/usr/bin# strings single-board-test | grep bitmain.com
http://bindminers.bitmain.com:6060/minerauth/postrate.asp?minerMAC=%02x%02x%02x%02x%02x%02x&hashrate=%d
http://bindminers.bitmain.com:6060/minerauth/doauth.asp?minerMAC=%02x%02x%02x%02x%02x%02x&reqID=%02x%02x%02x%02x%02x%02x

“”

Thanks for reading

If you enjoyed our article series so far , we accept bitcoin and ethereum tips which go towards funding WhaleCalls project(s).

BTC — 1AbRKiVkbffFAxpJcCHsNAgMB33EWmEiUJ

ETH — 0xf23eb771cc83A36967E80dA3d10881204d442878

--

--