Community discussions

 
kmailz
just joined
Topic Author
Posts: 2
Joined: Sun Feb 22, 2015 10:16 pm

Protected RouterBOOT

Sun Feb 22, 2015 10:44 pm

Hi all,
I found new protected-routerboot setting in Wiki. Sounds too good to be true so I've installed update package for backup RouterBOOT. Do everything as written in Wiki.. And result? Nothing, still was able to boot into netinstall mode.
It takes me two days of fun to found that my RB is not supported.
rb_log.jpg
RB 750
ROS 6.27
RB FW: 3.22

There's coming question: will be 750 supported? :)

And please specify supported models in Wiki.

Thanks :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Mon Feb 23, 2015 12:35 pm

older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported
No answer to your question? How to write posts
 
kmailz
just joined
Topic Author
Posts: 2
Joined: Sun Feb 22, 2015 10:16 pm

Re: Protected RouterBOOT

Mon Feb 23, 2015 9:47 pm

Okay thanks.

from wiki:
Newer devices will have this new backup loader already installed in factory
Will be this applied to older devices like RB750?
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Protected RouterBOOT

Wed Feb 25, 2015 11:24 pm

This is a good feature but not as I would have expected it to act yet. It is a good first step to protect the routerboards which are installed into the open.

My main concern is about SXT Lite. What actually happens, is that a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT. Keep in mind that SXT is generally offered free of charge to the customer, so there is one lost. Time after time this is a considerable loss. I have even asked support long time ago if there was anyway to stop others from steeling routerboards installed at open by resetting or netinstall-ing them. But there was no way to protect a routerboard from netinstall.

This new method is a good step at protecting the routerboards, but still one can netinstall by holding the reset button for the given time. I just tested it on a SXT, and the SXT even flashes after the time is reached, indicating that the button can be released and it enters into netistall.

My suggestion would be, is it possible to add a password to protect the routerboard from netinstall? A password which will prompt at the netinstall window? This is a better way to protect it.
I am glad that this issue has been addressed since it is a serious one, but I think it needs to be better than as it is now at this stage.
-Toni-
Don't crash the ambulance, whatever you do
 
marrold
Member
Member
Posts: 406
Joined: Wed Sep 04, 2013 10:45 am

Re: Protected RouterBOOT

Wed Feb 25, 2015 11:57 pm

a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT
This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Protected RouterBOOT

Thu Feb 26, 2015 12:13 am

This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.
Oh well, so nothing to do about it, right? What about routerboards on towers and masts out in the open? Are you going to pay guards who's salary exceeds the value of the devices? And it depends on the country where you live. Here where I am, half of the customers don't want contracts, if you talk about contracts they look at you as if you are talking alien. I am talking things that do happen in real life not about hypothetical situations.
As I said, it is a good thing MikroTik introduced this feature, it only needs to be better.
-Toni-
Don't crash the ambulance, whatever you do
 
marrold
Member
Member
Posts: 406
Joined: Wed Sep 04, 2013 10:45 am

Re: Protected RouterBOOT

Thu Feb 26, 2015 9:51 am

Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.

In the ideal world, how would Protected RouterBOOT work for you?
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Thu Feb 26, 2015 12:06 pm

How does password differ from Protected RouterBOOT setting?

The only difference is ability to format the device for reset, but this is for the situation where you forget the password. Otherwise you would just brick it without recovery.

There is no way to protect against reset. If somebody really wants, they could even remove the NAND.
No answer to your question? How to write posts
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1050
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Protected RouterBOOT

Thu Feb 26, 2015 7:36 pm

Like I said, I cant think of a single device that can be completely locked down.
And I can't think of single bank which can't be stolen, coincidentally one was stolen two weeks ago in my town :). This doesn't mean that measures has to be taken.
How does password differ from Protected RouterBOOT setting?
The password I mentioned was about the neinstall, but you don't have to follow my idea, you surely can come up with a better one. For example, a pattern pressing the button, like a port knocking. Like 20s keeping it pressed, then 5s pause, then 10s pressed and so on.
I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people and as it stands now, unauthorized people can still access the routerboard by netinstall. All they need to do is a 5min read of the wiki and 5min test like I did.
-Toni-
Don't crash the ambulance, whatever you do
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Fri Mar 27, 2015 7:05 pm

I've been trying to figure out the actual purpose of protected-bootloader is, and I cannot yet figure it out.

First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.

Second, you can netinstall and reinstall mikrotik regardless of the protected-bootloader setting, without knowing the admin password, and without knowing the seconds setting. Simply hold the button until it flashes, and then netinstall. Easy. So, the purpose of protected-bootloader is not to stop netinstall from working.

So ... what is the purpose of protected-bootloader???
 
andriys
Forum Guru
Forum Guru
Posts: 1115
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Protected RouterBOOT

Fri Mar 27, 2015 7:45 pm

I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people
Yes, you understood it wrong. Protected RouterBOOT is for protecting configuration of your device (including all the sensitive data it may contain) from access by unauthorized persons, but not to protect the device itself.
 
andriys
Forum Guru
Forum Guru
Posts: 1115
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Protected RouterBOOT

Fri Mar 27, 2015 7:48 pm

First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.
You can boot anything using Netinstall, not just RouterOS installer. You can boot Linux there, login via ssh and read whatever is stored on the NAND chip. Protected RouterBOOT prevents that.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Fri Mar 27, 2015 8:03 pm

Ah, ok. Thank you.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Sat Mar 28, 2015 9:43 am

Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.
No answer to your question? How to write posts
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 7:39 pm

Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.

Actually, based on the other posts here, I think that people DO want a device that would have to be discarded if the password is lost.

I think it would be better for a device to be thrown away, rather than a competitor to end up using it. Theft deterrent.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 7:43 pm

Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.
Wrong. There ARE devices that are useless without a password. iPhones and iPads have a locking feature where ONLY the owner can unlock it. If someone else gets a hold of the device, other than the owner, it is impossible to use (unless the owner unlocks it first).

It's called "Activation Lock" or "Find My iPad". There is currently no known way to bypass this lock. There are many stories of buying these devices on eBay when the originally did not unlock it (or it was stolen and resold), where the purchaser had no way to use it.

So, not an exact comparision, but yes there are tech devices that can be completely locked down.
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 7:59 pm

where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.
You do not have the required permissions to view the files attached to this post.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:14 pm

where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.
You have to do it from the command line:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:18 pm

i already read the wiki. but i cant find it even in terminal. can u give me the command?
You do not have the required permissions to view the files attached to this post.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:33 pm

i already read the wiki. but i cant find it even in terminal. can u give me the command?
Did you follow the instructions in the wiki, INCLUDING downloading and installing the required package?

http://www.mikrotik.com/download/share/ ... e_6_27.dpk
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:38 pm

no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 9:08 pm

no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?
Correct, this package is required for it to work. Install it just like you would any upgrade package.
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Protected RouterBOOT

Sun Mar 29, 2015 12:43 am

If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Protected RouterBOOT

Sun Mar 29, 2015 12:59 am

If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?
I'd bet they could also keep it pressed for longer, just not shorter.

So the next guy, worst case scenario, will have to sit like an idiot for 5 minutes (300 seconds) pressing that button down, at least until a led starts flashing... If they're REALLY motivated to reuse your equipment, they might actually do it... or (if this becomes a common practice) create a rig that keeps the button pressed, until they manually pull it out of said rig, 5 minutes later.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Protected RouterBOOT

Sun Mar 29, 2015 1:06 am

Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Protected RouterBOOT

Sun Mar 29, 2015 1:15 am

Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.
Actually, you might be right... I was extrapolating from the fact a "normal" reset has a led flashing as an indicator, but I see no indication in the wiki that this would happen with a protected boot's reset.

But still... I'd guess you could keep the button pressed for longer, so if the next guy keeps it pressed for 5 minutes, they're guaranteed to reset it.

Alternatively, there may be some small window around the time (e.g. 5 seconds, maybe 10). I mean, there MUST be SOME sort of window, considering that even if you KNOW the exact number of seconds needed and you have a clock with you, you're unlikely to hit that exact second, and having the button accept 5 additional seconds would let you hold down the button for one or two more seconds, rather than "just barely making it".

If there's 5 second window, it means one has to check 59 possible 5 second intervals, which would in turn cover the remaining 235 settings. Admittedly, even 59 attempts is a little too many for a manual process like this one.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sun Mar 29, 2015 2:18 am

Yes, the light flashes when the correct number of seconds has been reached. The "seconds" is really not a security measure at all, I don't know why they make it adjustable since the light flashes anyway.
 
jarda
Forum Guru
Forum Guru
Posts: 7601
Joined: Mon Oct 22, 2012 4:46 pm

Sun Mar 29, 2015 9:14 am

I see this function to be rather useless complication than anything I would like to install to my devices...
 
freemannnn
Long time Member
Long time Member
Posts: 655
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sun Mar 29, 2015 11:34 am

apples security "find my iphone" i think is one of the best for the moment. they lock the device to the owner. you format the device and it asks the last owner apple id so you can use it again. but this is right for devices that can be stolen, eg mobiles.

if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!
 
andriys
Forum Guru
Forum Guru
Posts: 1115
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re:

Sun Mar 29, 2015 3:29 pm

I see this function to be rather useless complication than anything I would like to install to my devices...
Other people's mileage may vary. I see Protected RouterBOOT as another important step towards corporate market, where it us mandatory, for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment.

Cisco ASA, for instance, has similar feature: "no service password-recovery".
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Re:

Sun Mar 29, 2015 3:43 pm

for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Re:

Sun Mar 29, 2015 4:02 pm

for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.
no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.
No answer to your question? How to write posts
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Re:

Sun Mar 29, 2015 4:51 pm

no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.
Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
andriys
Forum Guru
Forum Guru
Posts: 1115
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Re:

Sun Mar 29, 2015 5:15 pm

Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
No. Even with "boot-device=nand-only" you can force network boot with reset button.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Protected RouterBOOT

Sun Mar 29, 2015 5:35 pm

Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
No. Even with "boot-device=nand-only" you can force network boot with reset button.
Oh. I see... it all makes sense now.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
troffasky
Member
Member
Posts: 394
Joined: Wed Mar 26, 2014 4:37 pm

Re: Protected RouterBOOT

Sun Mar 29, 2015 9:50 pm

if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!
I doubt it. Mikrotik can't be blamed for your IT not giving you the password they've set on your kit.
To cite another example, the recovery procedure for a lost password on a Mobotix IP camera is to send it back to the factory in Germany, and that particular feature can't be turned off :-)
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Sun Aug 02, 2015 11:21 am

i just installed the pack on a 911 board and as per log it was installed
but in routerboard>settings i am unable to find any option to enable it

an any one guide me with the exact command / process

Thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Mon Aug 03, 2015 9:36 am

No answer to your question? How to write posts
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Mon Aug 03, 2015 10:37 am

i am not getting the options after i have installed the packege
thats why i am asking here
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Mon Aug 03, 2015 10:47 am

i am not getting the options after i have installed the packege
thats why i am asking here
did you check the log, after installing the package? it usually gives reason what failed. maybe your device is too old. it will say in the log. try to upload and reboot once more, then check log

package: http://www.mikrotik.com/download/share/ ... e_6_27.dpk
No answer to your question? How to write posts
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Mon Aug 03, 2015 11:04 am

As per log it was installed
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Tue Aug 04, 2015 4:07 pm

Please reply why i am not getting the options
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Thu Aug 06, 2015 7:39 am

Please someone reply why i am not getting the options
 
andriys
Forum Guru
Forum Guru
Posts: 1115
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Protected RouterBOOT

Thu Aug 06, 2015 1:18 pm

Please someone reply why i am not getting the options
Write to support[at]mikrotik.com asking this same question. This is a user forum, and I believe protected RouterBOOT is not a widely used option.
 
longerCZ
just joined
Posts: 13
Joined: Thu Aug 22, 2013 2:12 pm

Re: Protected RouterBOOT

Mon Sep 07, 2015 7:55 pm

Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Tue Sep 08, 2015 1:04 pm

Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!
Just like manual explains, it will erase the NAND in a secure way, and essentially Brick the device. So what you see is as it should be.

See last option, the one that says EXTREMELY DANGEROUS:

http://wiki.mikrotik.com/wiki/Manual:Ro ... D_settings
No answer to your question? How to write posts
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Protected RouterBOOT

Tue Sep 08, 2015 7:38 pm

Probably my english is really bad, but I can't understand the manual page.

.. So..

If I press reset for "reformat-hold-button" seconds the board erase (deep mode) all and I can netinstall a fresh new install.

If I press for more seconds than "reformat-hold-button", the device is unrecoverabily bricked ?

If yes, which is the tolerance windows (seconds) of reformat-hold-button ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24077
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Wed Sep 09, 2015 10:14 am

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
No answer to your question? How to write posts
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Protected RouterBOOT

Wed Sep 09, 2015 10:44 am

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
Perfect, now it's clear. Thanks.
 
longerCZ
just joined
Posts: 13
Joined: Thu Aug 22, 2013 2:12 pm

Re: Protected RouterBOOT

Mon Sep 14, 2015 2:28 pm

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?

I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s

When i just boot the device without RESET button, it's eth ports blinks randomly. If I use previous steps, it acts normaly (all eth ports are off, only connected one is on). The thing is that it doesn't appear in the list of NetInstall. When I use another working device it show in the list normally, so PC's configuration seems to be OK.

Device is still bricked. Any help?

Who is online

Users browsing this forum: Bing [Bot] and 54 guests