Goldshell – Mining Pool Authentication / Worker Fail

Open the Web UI at http://<miner-ip> (find IP at find.goldshell.com), log in with admin / 123456789, navigate to Miner-Status > Pool Setting, and read the wallet/account field one character at a time. Match the prefix to your miner's algorithm: k: for KD series Kadena (66 chars total); L, M, or ltc1 for LT Scrypt/Litecoin; D for Mini-DOGE solo Dogecoin; hs1 for HS Handshake; ckb1 for CK Eaglesong; 76-char hex for ST-BOX Sia. If the prefix is wrong for the chain, fix it. Save. Power-cycle for 30 seconds. This single move clears roughly 40% of Goldshell AUTH_FAIL tickets at D-Central's bench.

Strip prefixes and whitespace from the pool URL field. Pool URL = bare hostname (e.g. ltc.f2pool.com) — no stratum+tcp:// prefix, no trailing slash, no leading or trailing space. Pool Port goes in the numeric field next to it; do not paste hostname:port together — the daemon will not split it. Save the corrections, reboot.

Set the worker-password field to the literal character 'x'. Not your pool account password. Not blank (some daemons reject blank passwords as malformed). Not your email address. Not an OAuth token. Just 'x'. Some pools accept difficulty hints like 'd=4096' here — that is fine if your pool documents it. Otherwise, 'x'. Save and reboot.

Switch the username field to the format your pool's KB documents. Account-based pools (F2Pool, ViaBTC, Antpool, most named pools): username = <your_pool_account>.<workername>. Wallet-auth pools (Dxpool, NiceHash, Litecoinpool, most KDA pools): username = <your_wallet_address>.<workername>. Worker name is alphanumeric (A-Z, a-z, 0-9, plus - or _ depending on pool), no spaces, no emoji, often capped at 16-32 chars. Save. Reboot.

Confirm Goldshell Zone account binding for models that require it. See Goldshell Zendesk article on Zone login fail (https://goldshellhelp.zendesk.com/hc/en-us/articles/26892382205593). An unbound miner can produce 'login fail' errors that look like pool AUTH_FAIL. Bind in the Zone dashboard before further pool-config changes.

Power-cycle for a full 30 seconds (cord out, count to thirty, plug back in) and watch the dashboard for 5 full minutes. Goldshell's CPBO daemon sometimes takes 60-90 seconds to settle into authorized state after the first reboot of a new pool config. A warm reboot via Web UI is not enough to clear stuck Stratum auth state — pull the cord.

Switch from WiFi to Ethernet (Cat5e or Cat6) and rerun find.goldshell.com to pick up the wired IP. Reload the Web UI. WiFi-induced packet loss masquerades as AUTH_FAIL more often than people realize, especially on KD-BOX and Mini-DOGE hardware where the WiFi MAC chipset is older. Ethernet eliminates four variables at once: signal quality, wireless driver quirks, MAC-layer drops, and the WiFi-upgrade-corruption history.

Override router DNS to 1.1.1.1 (Cloudflare) and 8.8.8.8 (Google) as primary/secondary. Save router config, reboot router, reboot miner. Canadian ISPs (Bell, Rogers, Vidéotron, Cogeco, Shaw) and some US ISPs occasionally produce slow or flaky DNS for mining-pool hostnames at default resolvers — slow enough to trip Goldshell's Stratum handshake timeout into a malformed retry that surfaces as AUTH_FAIL.

Test against a known-good Goldshell-blessed pool with a verified wallet. F2Pool endpoints: Kadena → kda.f2pool.com:5400; Litecoin → ltc.f2pool.com:8888; Handshake → hns.f2pool.com:6000; Eaglesong/CKB → ckb.f2pool.com:8899; Sia → sc.f2pool.com:7778. Use your F2Pool account name as the username prefix. If AUTH_FAIL clears, the original pool was the issue. If it persists, the miner side is broken — continue.

Run tcpdump on your router gateway (OpenWrt, pfSense, OPNsense, or a mirror port) for 2 minutes while the miner attempts to connect. Look for: SYN > SYN-ACK > ACK (pool reachable); outbound JSON mining.subscribe; inbound subscribe response with extranonce1; outbound JSON mining.authorize with [username, x]; inbound JSON {result:false, error:[...]}. The error array often contains 'unauthorized worker', 'wallet not registered', 'invalid address format', or 'region not supported' — definitive root-cause isolation in 5 minutes.

Try the alternate Goldshell-blessed pool, Dxpool. Endpoints: Kadena → kda.pool.dxpool.com:5831; Litecoin → ltc.pool.dxpool.com:5631; Handshake → hns.pool.dxpool.com:5931. Use your wallet address as the username prefix on Dxpool (it is wallet-auth, not account-auth). This isolates whether AUTH_FAIL is F2Pool-specific or universal.

VPN diagnostic for region block. Route the miner through a VPN exit in a region the pool serves (US, Western Europe, Singapore for most pools) for 30 minutes as a diagnostic. If AUTH_FAIL clears: the pool is region-blocking your IP geography. Switch to a pool that serves your region or relocate the miner's network exit. Note: long-term VPN operation produces latency-induced share rejection — diagnostic only, not a production fix.

Check the system clock under Web UI > System-Overview against a current NTP source. Stratum auth on TLS-enabled endpoints is sensitive to clock skew greater than 5 minutes. If the clock is drifted, set NTP correctly. If the clock keeps drifting back across reboots: the control-board CR2032 RTC battery is dying. Plan replacement in step 14.

Replace the control-board CR2032 RTC battery. Symptom pattern: AUTH_FAIL cycling combined with system clock drift of 24-48+ hours after reboot. Unplug power, wait 5 minutes for capacitors to discharge, pop the case, locate the coin cell on the control board, swap with a fresh CR2032. Reboot, re-set NTP. If clock holds, retry pool config. Fixes a small but real percentage of 'auth was working, suddenly broken' tickets on KD5/KD6/LT5/LT6 hardware deployed for 18+ months.

Downgrade firmware by one minor version if a recent upgrade preceded the AUTH_FAIL. Goldshell's official upgrade page (goldshell.com/upgrade-firmware/) does not always archive older releases — community sources (VoskCoin forum threads, Goldshell Telegram, reputable GitHub forks) host older .bin files. Verify the file hash against multiple community references before flashing. Flash only over Ethernet, never WiFi. Never flash during an electrical storm or on a circuit without a UPS — a brownout mid-flash bricks the miner and forces SD-card recovery.

SD-card reflash for BOX-series miners (KD-BOX, HS-BOX, ST-BOX, CK-BOX, KA-BOX, Mini-DOGE family). Download the correct factory recovery image for your model from a verified community source (James Chambers' guide links to known-good images at jamesachambers.com/goldshell-box-asic-miner-firmware-recovery-guide/). Verify hash. Write to a clean FAT32 SD card (8GB or larger) using balenaEtcher or Rufus. Power miner off, insert SD card, power on, watch the LED pattern for completion. After reflash, redo Tier 1 steps from default config.

Hardening: VLAN-isolate the miner with no WAN-initiated inbound, block all inbound, allow outbound only to pool hostnames and firmware update endpoints. Goldshell BOX miners have a documented pool-hijack botware vulnerability (medium.com/@andreas.mai/how-i-hacked-into-goldshell-crypto-miners-df774574fb47) when port-forwarded. A compromised miner silently re-points to an attacker's pool, which then rejects your wallet's mining.authorize because the attacker's pool only authorizes the attacker's wallet. After hardening, SD-card reflash from a verified clean image to remove any persistent compromise.

SSH into the miner for raw daemon log inspection (advanced — voids any remaining warranty). Andreas Mai's writeup documents the access procedure. Tail the daemon log to read the full Stratum exchange and any error messages the Web UI is suppressing. This is bench-tech territory but routinely tells you in 60 seconds what 4 hours of UI-side fiddling cannot.

Stop DIY and ship to D-Central when verified-clean firmware reflash plus verified-correct wallet/worker config against F2Pool still produces AUTH_FAIL; Web UI becomes unresponsive after reflash; visible physical damage (scorched connector, bulged cap, blown fuse, corrosion); persistent control-board flakiness pattern (random reboots + cycling auth state — Goldshell's most common control-board RMA per Zeus BTC); or you want a Canadian repair shop instead of a 6-12 week ship-to-China round-trip with customs overhead. Book at https://d-central.tech/services/asic-repair/.