This guy went deep on the Canaan Avalon Nano3S chip. Pretty impressive.

To the author's knowledge, this is the first time anyone has publicly reverse-engineered Canaan's A3197S Bitcoin mining ASIC — the chip at the heart of the Avalon Nano 3s and related Avalon-Nano-class hardware.

The A3197S is closed silicon. Its host-to-chip mining protocol is undocumented; the second RISC-V core that drives it ships encrypted on flash; and there is no published information describing how the chip is brought up, configured, fed work, or how it reports results. Every existing deployment of this ASIC runs the vendor's closed stack and nothing else.

This study cracked that wall: the complete A3197S serial mining protocol was recovered — chain enumeration, per-chip configuration and calibration, the high-speed bus bring-up, work dispatch, version-rolling (AsicBoost) setup, and the nonce-report format the chip returns. With the protocol understood, a branch of firmware (TNA-OS) was written to drive the chips directly, independently of any vendor software.

AssessmentAssessment

4.1 The A3197S4.1 The A3197S

• Capable silicon, locked behind a closed protocol. The chip's full potential is yet to be fully explored, but it is plainly capable of far more than its stock output. What kept it throttled was never the silicon — it was the undocumented protocol and the vendor's locked firmware, which continually tunes the chips toward a ~90 °C target because the product was designed with heat generation as a first-class purpose. Once the protocol was cracked, the chip delivered.
• Rich on-chip telemetry. The chip reports per-chip die temperature, voltage, and work counters, enabling genuine per-chip health visualisation once the telemetry path is understood.
• Conventional miner behaviour underneath. Beneath the closed wrapper, the A3197S behaves like a standard SHA-256 miner — it rolls version and time fields and gates reports on an on-chip difficulty threshold. The difficulty of this work was discovery, not exotic chip behaviour.

4.3 Security & Privacy Findings (stock firmware)4.3 Security & Privacy Findings (stock firmware)

Stated as conclusions only, without reproduction method, consistent with responsible disclosure. These reflect the stock firmware as analysed and are relevant to anyone running the device unmodified. No customer data or third-party systems were involved in establishing any of them.

 Outbound telemetry The stock firmware transmits operational data off-device to third-party endpoints (app). Combined with on-chain wallet visibility, this class of reporting can correlate a device, its operator, and its mining activity.

What this class of telemetry can enable. For mining devices generally, the combination of network address + pool identity + wallet/worker identity is a meaningful privacy risk:

A party holding such data can correlate a physical location with a mining identity and on-chain financial history. The custom firmware described next removes this exposure entirely.

7. Conclusion7. Conclusion

The Canaan A3197S was, prior to this work, a closed and undocumented Bitcoin mining ASIC, reachable only through the vendor's encrypted firmware and locked to a low-output envelope. This study is, to the author's knowledge, the first public reverse-engineering of that chip.

The complete host-to-chip protocol was recovered — enumeration, configuration, calibration, work dispatch, version-rolling, and the nonce-report format — and proven by an independent driver (TNA-OS) that runs the twelve A3197S chips on an Avalon Nano 3s, on any pool, with modern protocol support and no third-party telemetry. Pool-side verification confirms clean, accepted work at the target rate, with zero rejects.

The firmware is a useful artifact. The achievement is the ASIC: a previously-sealed piece of Canaan silicon is now understood and driven independently for the first time.