The feature allows the protection of RouterOS configuration and files from a physical attacker by disabling etherboot. It is called “Protected RouterBOOT”. This feature can be enabled and disabled only from within RouterOS after login, i.e., there is no RouterBOOT setting to enable/disable this feature. These extra options appear only under certain conditions. When this setting is enabled - both the reset button and the reset pin-hole are disabled. RouterBOOT menu is also disabled. The only ability to change boot mode or enable the RouterBOOT settings menu is through RouterOS. If you do not know the RouterOS password - only a complete format is possible.
So it should prevent access to configuration data even if you have physical access.
There also seems to be another reason to upgrade RouterBOOT firmware – namely on my CCR1009 I got a log message telling me that for optimal NAND management I should upgrade the RouterBOOT firmware. Device was on RouterOS 7.15 and it hang 2 or 3 times in the past couple of days, that’s when I noticed 0.1% bad sectors and this log message and I have managed to upgrade firmware to 7.6 by doing downgrade to 6.49.7, upgrading 3.39 factory firmware to 6.49.7 and then upgrading all to 7.6 and finally to 7.12.1 and 7.15.1.
I wanted to do the same on Audience but it refuses to upgrade the firmware with the special package no matter what RouterOS is installed (6.49.7 or 7.6).
I’m pretty sure that it’s error in documentation. It says it’s procedure for upgrading “backup routerboot” … and then, out from a blue sky, it mentions change in “factory firmware” version. As far as I understand, the “factory firmware” version doesn’t relate to any of installed routerboots (neither primary nor backup), it’s a metadata baked into flash and is there to ensure that routerboot doesn’t get downgraded below the version which is guaranteed to boot the particular device (and routerboot shipped in particular device from factory is a pretry good candidate). Quite some time ago this metadata did not exist but devices did have both routerboots (main and backup).
No, you can’t upgrade “Factory firmware”, as I explained it’s simply an information about lowest pissibke firmware version to which routerboot can be downgraded … and consequentially there’s no need to “upgrade” this to higher version.
Current routerboot version is displayed as “Current firmware”. It’s only the information about backup routerboot version which isn’t shown/available.
Factory firmware is whatever thats available in your device in case you start over.
Im not aware if a netinstall can wipe this (it should) but generally speaking when you update the routeros you can do another reboot to have the bootloader updated aswell.
The bootloader is like bios if compared to your computer and the routeros/swos is the operating system.
I think documentation means devices with version 7 factory firmware, but less than 7.6 get upgraded to
a v7.6 factory firmware with protected router boot function.
Devices with older (v3, v6) factory firmware get an updated factory firmware (not v7) which has the new protected
router boot function. (which is also supported with newish v6 routeros)
