Tom's computer pages

April 20, 2024

EBAZ4205 Bitcoin miner board - "cgminer" software (part 2)

This starts with the script /etc/rcS.d/S95cgminer.sh that runs on every system startup (until you disable it). With the number "95" it is the last script in the startup collection that runs. The crucial thing that this does is this:

/opt/system/appstartup &

It looks like all of the miner software lives in /opt. What "appstart" does is to inspect the first character in "bank.conf" which had better be 0 or 1. In our case this is "0" indicating BANK 0. It then does this. If would have copied the same file from the "work1" directory if bank.conf has indicated bank1

rm -r /tmp/*
cp /opt/work0/btc_upgrade.tar.gz /tmp/

Then it runs /opt/system/startscrip, which turns out to be a fairly short shell script. Among other things it does this:

cd /tmp/
gunzip btc_upgrade.tar.gz
tar -xvf btc_upgrade.tar

The unzip is needless these days, tar itself will handle a compressed archive. I inspect it as follows:

cd /opt/work0
tar tvf btc_upgrade.tar.gz
-rwxr--r-- 1014/1017       711 2019-01-15 02:56:05 ./appstartup
-rwxr--r-- 1014/1017    699808 2018-11-22 19:16:20 ./chpasswd
-rwxr--r-- 1014/1017     10848 2018-11-22 19:16:20 ./console_redirect
-rwxr--r-- 1014/1017    523108 2019-08-28 00:22:39 ./dwang_btc_miner
-rwxr--r-- 1014/1017     89356 2018-12-10 23:14:29 ./ercw_main
-rwxr--r-- 1014/1017    228012 2018-06-05 18:51:31 ./ethtool
-rwxr--r-- 1014/1017   6922240 2019-07-29 22:35:59 ./HKDW.tar.gz
-rwxr--r-- 1014/1017    952896 2019-08-28 00:22:39 ./libnetsnmpagent.so.30
-rwxr--r-- 1014/1017    661508 2019-08-28 00:22:39 ./libnetsnmpmibs.so.30
-rwxr--r-- 1014/1017   1917052 2019-08-28 00:22:39 ./libnetsnmp.so.30
-rwxr--r-- 1014/1017       559 2019-02-15 23:46:40 ./proc_monitor
-rwxr--r-- 1014/1017       823 2018-12-07 23:37:18 ./reset_button
-rwxr--r-- 1014/1017    627252 2018-07-16 20:31:54 ./route
-rwxr--r-- 1014/1017       200 2019-07-25 17:34:26 ./S95cgminer.sh
-rwxrwxr-x 1014/1017     55228 2019-08-28 00:22:39 ./snmpd
-rwxr--r-- 1014/1017        45 2018-06-05 18:51:31 ./snmpd.conf
-rwxr--r-- 1014/1017       636 2018-09-03 17:29:54 ./startscrip
-rwxr--r-- 1014/1017         4 2018-06-05 18:51:31 ./sys_pll_thrs.conf
-rw-rw-r-- 1014/1017         8 2019-08-28 00:22:39 ./upgrade_ver_7.3.0.28
-rwxr--r-- 1014/1017    170504 2019-08-28 00:22:39 ./zebra

I decide to expand my own copy to look at it with some leisure:

cd /home/root
mkdir miner
cd miner
tar xpvf /opt/work0/btc_upgrade.tar.gz
tar xpf HKDW.tar.gz

The HKDW tarball contains the "zyp" directory, which includes a fairly big "web" directory, and the next steps of the miner startup, as follows:

cd zyp
chmod 777 setappconf_ip.sh
./setappconf_ip.sh

I don't run this of course, but it is actually quite short, with two lines invoking "sed" to obtain network information and then make adjustments to appweb.conf. The stuff in "zyp" includes a README.md -- and even a Makefile that would invoke an ARM compiler which we definitely don't have. The README talks about a web based login form.

After this, the "startscrip" does this:

appweb --config /tmp/zyp/appweb.conf &
/tmp/dwang_btc_miner &
/tmp/snmpd -c /tmp/snmpd.conf -f &

Indeed "appweb" is a standard thing in /bin

Our attention now focuses on "dwang_btc_miner". This is a compiled executable and not a script.

I am curious about one aspect of it, so I do this:

strings dwang* | grep pass
Use only user + pass or userpass, but not both
Invalid value passed to set temp cutoff
Too many values passed to set temp cutoff
--pass|-p
--userpass|-O
		"pass" : "%s"
Diff zero passed to set_target
echo root:'%s' | chpasswd
cp /tmp/chpasswd /bin/chpasswd
Null string passed to valid_hex from in %s %s():%d
Invalid char 0x%x passed to valid_hex from in %s %s():%d
Null string passed to valid_ascii from in %s %s():%d
Zero length string passed to valid_ascii from in %s %s():%d
Invalid char 0x%x passed to valid_ascii from in %s %s():%d
password
Config passwd: %s command length : %d
cgminer pool_passwd %s
cluster user change pool_passwd[0]=%s
cluster user change pool_passwd[1]=%s
cluster user change pool_passwd[2]=%s

So this is what messes with the root password. I see two things of interest:

echo root:'%s' | chpasswd
cp /tmp/chpasswd /bin/chpasswd

It gets a string from somewhere and uses it to reset the root password. It also replaces the system chpasswd command with the one included with the miner software. This is a pretty big executable, so probing or modifying it would be a big task.

-rwxr--r--    1 1014     1017        523108 Aug 28  2019 dwang_btc_miner

But, we certainly could replace the chpasswd that is contained in the tarball with something else. Another option is to get the encrypted password string from /etc/passwd and run crack on it. This is what I see before and after I clear the password:

root:GJhyTePXt9Nbs:0:0:root:/home/root:/bin/sh
root:$1$q.vJBdUd$YldnfoJ7TDqgO6lhSxyIS.:0:0:root:/home/root:/bin/sh

John the ripper

We are now working on my 8 core intel based linux desktop. I did this once before. First I get "john" --

su
dnf install john

I then put the first line from the above into "passwd.ebaz" and then at 2:30 PM give this command:

john --fork=6 passwd.ebaz

My machine has 8 cores, so this should leave 2 for me to use while it plugs away. Indeed, "top" shows 6 "john" processes running and a load average of 6. I hear the processor fan in my desktop spin up. The last time I did this it took just over an hour.

I stopped it at 8:25 PM, almost 6 hours later. No answer.

But I have another idea. It is late and I am too tired to try it right now.

Feedback? Questions? Drop me a line!

Tom's Computer Info / tom@mmto.org