I would like to be sure,
If i set reformat-hold-button to 91s
reformat-hold-button-max to 92s.
boot = nand only, disabled jumper reset.
enabled protected routerboard,
factory firmware = 3.41
If someone does not know those 90 and 91s numbers, values,
is there any possible way (including openin device and connecting directly with cables, electronically to pcb) to reformat it and use for something else or with diffrent configuration?
Or is it really full 100% secure, impossible to reset, reformat, without knowing password?
If such configured device will be stolen, is it possible for thief to use it for something or will it be just as brick for him?
I remove the nand, put it on one device like "usb stick"
and read them...
Nand do not use encrypted FS, are readable by linux....
On old device without protected routerboot activated is possible to etherboot device and read inside the nand like a shared folders...
I'ts impossible to full secure anything...
Protected routerboot etc. are only for "secure" standard "end user" for reset the device, and "standard" competitor to easy read your configuration...
but to remove nand you have to dissassemble it, use soldering iron, station, without knowledge in electronic you wont do that, right ?
Nand is not easily replacable, removable:
that level of difficulty is OK.
Removing and reading nand is cheaper than buying new device?
I think that doing that is more expensive than buying.
I only want to notice you can not store security relevant information inside router.
For standard users, as I have wrote, protected-routerboot is fundamental
(sorry for my english...
its not so much about information and data on nand.
What i care about is not accessing relevant information - but using my device by someone who stole it.
Ok, i syggest you to:
on system routerboard settings
reformat-hold-button = xxx (reasonable ammount of seconds)
reformat-hold-button-max = reformat-hold-button + 10s (give yourself the possibility to reset device if something go wrong...)
/partitions set [find] fallback-to=part0 (this disable etherboot on software fail)
do NOT change admin username
create one new "full admin" username with strong password
create new users group witouth any right
assign new users group to "old" admin user
disable admin user and set a random password for it
disable all unused admin services: telnet, ssh, api and api-ssl, www and www-ssl (webfig)
and if you want to be extreme:
first create some script for open winbox temporarly after knock on some port on some exact order
then disable all remote admin services: telnet, ssh, api and api-ssl, www and www-ssl (webfig), winbox
I'm Italian, not English. Sorry for my imperfect grammar.