Goldshell – SSH Access / Root Shell (Advanced)

Find the miner's IP using `find.goldshell.com` discovery tool, your router's DHCP table, or `nmap -sn 192.168.0.0/24`. Note it. Hardcoded factory IP on a fully reset BOX is `10.10.10.10` — set your laptop to a static IP in that subnet if needed. Identifying the IP first prevents wasted time on a wrong target.

Test SSH reachability from a workstation on the same LAN: `nc -vz <miner-ip> 22` or `nmap -p 22 <miner-ip>`. Expect `open` on legacy firmware. If it returns `closed` or `filtered`, you're either on modern Zone-bound firmware or a router firewall is interfering — different recovery path, skip ahead to the modern-firmware UART or eMMC steps.

SSH in with the publicly cracked legacy default password: `ssh root@<miner-ip>` then at the prompt enter `19283746`. This was the original 2021 Andreas Mai recovery from the DES-hashed root entry `root:UP0m2BBEXru9o:17686:0:99999:7:::` and it works on a wide range of legacy BOX-series units because the same root hash was reused across the early image generation. If accepted, you have a `#` shell — survey first, do nothing destructive yet.

Survey the system non-destructively in this order: `uname -a` (kernel + arch — expect `Linux 3.10.0-infotm`), `cat /proc/cpuinfo`, `mount` (rootfs typically on `/dev/mmcblk0p2` for BOX-series), `df -h`, `free -m` (typically 256 MB on BOX), `ps w` (find the `intminer` PID), `cat /usr/config/bfgminer/bfgminer.json` (live mining config — pool URLs, worker name, password), `ls /root/`. Read everything before you write anything.

Read kernel and miner logs: `dmesg | tail -100` for kernel events, `cat /var/log/messages` for syslog history if present, `tail -f /tmp/intminer.log` (or wherever the daemon writes — confirm via `ps` output for the `-o logfile` flag). This is the diagnostic depth the dashboard hides. Browse `/views/debug.html` in the web UI as well for the official-but-undocumented diagnostic page.

Back up the live mining config before any Tier 2 edits: `cp /usr/config/bfgminer/bfgminer.json /root/bfgminer.json.bak.$(date +%Y%m%d)`. Same for `/root/product.json` and any other file you intend to touch. Then `scp` the backups off the miner from your workstation: `scp root@<miner-ip>:/root/*.bak.* ./goldshell-backups/`. Costs nothing, saves hours of recovery later.

Edit the mining daemon's pool config directly: `vi /usr/config/bfgminer/bfgminer.json` — add a fallback pool, change worker name, swap stratum URL, adjust pool difficulty hint. Save with `:wq`, then `killall -HUP intminer` to signal the daemon to re-read config without a full reboot. Watch `tail -f /tmp/intminer.log` for the reconnect. If SIGHUP isn't honored, fall back to `killall intminer` and let init respawn it.

Adjust `target_temperature` in `/root/product.json` for aggressive thermal management. The file holds hardware tuning thresholds — lowering `target_temperature` from stock (typically 75-80 °C) to ~50 °C triggers maximum fan PWM at next miner restart. Documented Andreas Mai modification, brutal but effective in a hot summer garage. Restore from backup with `cp /root/product.json.bak.YYYYMMDD /root/product.json` if it makes the unit intolerable.

Schedule diagnostic logging via BusyBox cron. Add to `/etc/crontabs/root`: `* * * * * date >> /tmp/heartbeat.log; ps | grep intminer | grep -v grep >> /tmp/heartbeat.log` then `/etc/init.d/cron restart`. You now have minute-by-minute confirmation that the daemon is alive — invaluable for tracking down silent crashes, intermittent reboots, or memory leaks that the web dashboard's coarse-grained polling misses entirely.

Pull a full filesystem backup before any Tier 3 firmware modification: `tar czf /tmp/rootfs.tar.gz /etc /root /usr/config 2>/dev/null` then `scp root@<miner-ip>:/tmp/rootfs.tar.gz ./goldshell-rootfs-backup.tar.gz`. Three megabytes typically. This is your `undo` if Tier 3 goes sideways short of a full block-level brick.

Pull a full block-level image of the boot media (BOX-series only). Power down, pull the SD card, mount on workstation: `sudo dd if=/dev/sdX of=goldshell-kdbox-stock.img bs=4M status=progress`. Verify size matches your card. Compute and store SHA256: `sha256sum goldshell-kdbox-stock.img > goldshell-kdbox-stock.sha256`. Store this image offline in two separate locations. Without it, a botched Tier 3 means D-Central repair.

Mount the rootfs image offline and modify what you need: `sudo mount -o loop,offset=$((BOOT_SECTOR*512)) goldshell-kdbox-stock.img /mnt/goldshell` (offset depends on the image — `fdisk -l` to inspect). Edit `/mnt/goldshell/etc/shadow` to set a known root password (or empty hash for keyless), edit `/mnt/goldshell/etc/init.d/dropbear` to ensure SSH starts on boot. Unmount cleanly with `sudo umount /mnt/goldshell`. Re-flash to SD with `dd`. Re-insert. Boot.

Re-enable SSH on Zone-bound modern firmware via UART console. Open chassis. Locate the 4-pin header on the control board (TX, RX, GND, sometimes VCC). Attach a 3.3 V USB-to-UART adapter (CP2102 or FT232R) — do NOT connect VCC if the miner is independently powered. `screen /dev/ttyUSB0 115200`. Boot, interrupt U-Boot countdown. Set `setenv bootargs ${bootargs} init=/bin/sh` then `boot`. At the resulting `#` shell, mount rootfs read-write: `mount -o remount,rw /`. Edit `/etc/shadow` and the SSH startup script. `sync; reboot`.

Apply a community-built patched firmware (modern firmware path, low-confidence). Download a community-published SSH-restored Goldshell firmware image. Verify SHA256 against at least two independent mirrors AND a posted hash from the original author. Apply via the stock web UI's firmware-update flow. Always test on an expendable unit first — community image bricks are not warranty-recoverable, only D-Central or eMMC-programmer recoverable.

Lock down what you've opened. Once SSH is yours, change root password: `passwd root` then a 16+ character mixed string. Drop your SSH pubkey: `mkdir -p /root/.ssh && echo "ssh-ed25519 AAAA... you@workstation" > /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys`. Disable password auth in dropbear if your firmware build supports the `-s` flag in init. You are now the only person who can SSH to this miner — back up the key off-host.

Stop DIY when you bricked the unit during Tier 3 firmware mod and you don't have a clean stock image to restore — no LEDs, no Ethernet link-up, no UART output. Or when the unit is eMMC-based (KD5/KD6/LT5/LT6/CK6/KD-MAX) and you don't own a Beeprog2 or RT809H-class programmer to read or write the soldered chip. Book a D-Central ASIC Repair slot at https://d-central.tech/services/asic-repair/ .

What D-Central does at the bench: pull the control board off the chassis; read SD-card with our reference imager (BOX-series) or in-circuit-clip the eMMC chip with a programmer (KD/LT/CK series); restore from a known-good D-Central reference image OR from your own backup if you shipped one with the unit; re-test boot, web UI, mining daemon spawn, hashboard enumeration; burn-in 12-24 hours at nameplate. Optional add-on: leave SSH enabled and document the new credentials so you don't have to re-do the work.

Ship safely. Power down, pull power cable, pack the controller (or whole miner) in anti-static bags, double-box with at least 5 cm foam on every side. Include a written note describing exactly what you did to it — what firmware version was on it, what you tried to flash, what command you last ran, what the failure mode was. Honest disclosure halves bench time and saves you money. Include any backups (SD images, tarballs, SHA256s) on a USB stick in the box.