Is there a way to validate the firmware/OS of a device?
I was shipped a MikroTik device from a vendor, and it was not configured as expected (could not ping the device default IP). After an hour or two of troubleshooting, I performed a factory reset using the button on the front panel, and suddenly ping starts working.
The vendor claims the device is "brand new". I obviously do not believe this claim. Something had to be configured before that I was not able to connect to the default IP address. They also do not want to ship a replacement device that does come with a configuration as expected.
I am now looking for a method to validate the firmware and entire OS on the device - to know whether it has been tampered with in any fashion.
Just do netinstall. It formats disk and puts a fresh factory version of ROS.
You can downgrade/upgrade to be sure that firmware is overwritten. No easy way to check non erasable boot firmware that starts whole procedure of netinstall in the device.
I don't know what this does, if that checks if the RouterOS and all Installed packages has correct checksum, or what it does.
But somebody in this forum can maybe fill my gaps of not knowing.
You can go to /system/packages and press Check installation like this picture, and then press start.
AFAIK, /system/package/check-installation just check the package signatures. e.g. routeros.npk etc. are from MikroTik. But it does not check the config is default.
Agree that netinstall is good practice since one never knows. At same time, the config should be the default from the box. Now whether it's your vendor, or perhaps(but unlikely) MikroTik factory had a bad day... you should need neither netinstall nor a reset-configuration. But if worried, netinstall is the answer. And that will check package signatures, so a separate "check installation" is needed
did you connect via the "WAN"-port, which is firewalled by default. i am not sure if a reset wipes everything (and enables to connect via the WAN port)
Well, it is not certain that this happened. I have seen before that new devices would not work via IP until a button-reset is performed. Apparently sometimes the default configuration is not applied, or the wrong type of confguration is somehow applied (e.g. CAPs mode).
Usually you can connect via MAC and that will work. But it is too late now to verify that.
I would not panic and when you want to be 100% sure use netinstall. Is a good exercise anyway, as that will normally not work until you get some experience and it is always good to have that experience before you really need it.
I am connecting to the port with the additional label "BOOT". From the documentation this is the port to use for initial configuration. The device is just a router, not a firewall, so there are no WAN/LAN ports
When the device was received this port did not "work" (I mean technically, it was probably working with whatever config was there, but it did not work as expected for a factory config). Upon a factory reset it immediately started responding as expected (ping and HTTP service on 192.168.88.1).
I don't think you would compromise your privacy by posting the model of the Mikrotik device you are using.
Most (if not all) common SOHO Mikrotik devices (routers and AP's) do have a default configuration with one port (ether1) set as "WAN" and all the rest assembled into a bridge and set as LAN with a firewall between them. ("professional" devices are an exception as they usually come without any configuration)
The port with the additional label "BOOT" is - usually - ether1 and WAN.
You MUST use it for Netinstall.
you MUST NOT use it to connect to the device.
This is the kind of experience that I'm looking to see if anyone has come across before.
Agreed that it is, unfortunately, too late to do a full forensic/root-cause analysis of what was going on with the device as received.
I will add that the box the device came in hardly seems "new" either. I have only ever received demo equipment that came similarly packaged (visibly worn cardboard). Not the kind of shipping damage to a box, like dents or scrapes, but the kind of worn in look that comes from something being opened or handled many times before.
The CCR2004 is a "professional" device. It does not come with the default config that most people know, it only has a DHCP client active on ether1. You can plug it into a network and look in its DHCP server what address it has received, and then you can connect it there.
Alternatively you can use the serial port or the MAC-level connect in Winbox.
Yes, the CCR2004 is one of the professional devices, so while it should not have the "default" configuration of the SOHO devices, it should still have a 192.168.88.1/24 configured on a port (the one marked as MGMT/BOOT, which is actually #15 on the CCR2004).
But - evidently - this doesn't always happen, as the instructions
First say:
Connect your PC to the MGMT/BOOT port;
Connect the device to a power source;
Configure the IP settings of your network card to 192.168.88.2/24;
Configuration should be made using WebFig in a web browser or the WinBox configuration tool https://mt.lv/WinBox;
Open http://192.168.88.1 in a web browser to start setup. ...
and then swiftly add: If the IP address is unavailable, use WinBox and choose the "Neighbors" tab to find the device. Proceed to connect using the MAC address.
So it must not be unheard of that a device comes without a valid IP address assigned from factory.
The WHOLE default configuration should anyway amount to something like:
/port set 0 name=serial0
/ip address add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
/system routerboard settings set enter-setup-on=delete-key
Ok I think I have seen on recent RouterOS and CCR devices that it came up the same way as a CHR... (DHCP client on first ethernet port).
But maybe it was a mistake. As you say, it is not really stable on anything but a home router (which comes with that full default config that includes a DHCP server). It is not unusual to have issues with initial contact.
(and then I am not even considering that sometimes you get the wrong sticker and the password doesn't work... )
When in doubt, use the serial port. That is what I always do because I need to config devices that aren't on my local network range.
I work with enterprise gear regularly. I've never had the initial connection instructions result in not being able to connect. I've never had to factory reset a device to get it to work as expected out of the box.
Granted, that is anecdotal evidence with a sample size of 1, so statistically meaningless. But it is my experience nonetheless.
)