Community discussions

MUM Europe 2020
 
kmailz
just joined
Topic Author
Posts: 2
Joined: Sun Feb 22, 2015 10:16 pm

Protected RouterBOOT

Sun Feb 22, 2015 10:44 pm

Hi all,
I found new protected-routerboot setting in Wiki. Sounds too good to be true so I've installed update package for backup RouterBOOT. Do everything as written in Wiki.. And result? Nothing, still was able to boot into netinstall mode.
It takes me two days of fun to found that my RB is not supported.
rb_log.jpg
RB 750
ROS 6.27
RB FW: 3.22

There's coming question: will be 750 supported? :)

And please specify supported models in Wiki.

Thanks :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Mon Feb 23, 2015 12:35 pm

older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported
No answer to your question? How to write posts
 
kmailz
just joined
Topic Author
Posts: 2
Joined: Sun Feb 22, 2015 10:16 pm

Re: Protected RouterBOOT

Mon Feb 23, 2015 9:47 pm

Okay thanks.

from wiki:
Newer devices will have this new backup loader already installed in factory
Will be this applied to older devices like RB750?
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1065
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Protected RouterBOOT

Wed Feb 25, 2015 11:24 pm

This is a good feature but not as I would have expected it to act yet. It is a good first step to protect the routerboards which are installed into the open.

My main concern is about SXT Lite. What actually happens, is that a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT. Keep in mind that SXT is generally offered free of charge to the customer, so there is one lost. Time after time this is a considerable loss. I have even asked support long time ago if there was anyway to stop others from steeling routerboards installed at open by resetting or netinstall-ing them. But there was no way to protect a routerboard from netinstall.

This new method is a good step at protecting the routerboards, but still one can netinstall by holding the reset button for the given time. I just tested it on a SXT, and the SXT even flashes after the time is reached, indicating that the button can be released and it enters into netistall.

My suggestion would be, is it possible to add a password to protect the routerboard from netinstall? A password which will prompt at the netinstall window? This is a better way to protect it.
I am glad that this issue has been addressed since it is a serious one, but I think it needs to be better than as it is now at this stage.
-Toni-
Don't crash the ambulance, whatever you do
 
marrold
Member
Member
Posts: 415
Joined: Wed Sep 04, 2013 10:45 am

Re: Protected RouterBOOT

Wed Feb 25, 2015 11:57 pm

a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT
This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1065
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Protected RouterBOOT

Thu Feb 26, 2015 12:13 am

This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.
Oh well, so nothing to do about it, right? What about routerboards on towers and masts out in the open? Are you going to pay guards who's salary exceeds the value of the devices? And it depends on the country where you live. Here where I am, half of the customers don't want contracts, if you talk about contracts they look at you as if you are talking alien. I am talking things that do happen in real life not about hypothetical situations.
As I said, it is a good thing MikroTik introduced this feature, it only needs to be better.
-Toni-
Don't crash the ambulance, whatever you do
 
marrold
Member
Member
Posts: 415
Joined: Wed Sep 04, 2013 10:45 am

Re: Protected RouterBOOT

Thu Feb 26, 2015 9:51 am

Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.

In the ideal world, how would Protected RouterBOOT work for you?
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Thu Feb 26, 2015 12:06 pm

How does password differ from Protected RouterBOOT setting?

The only difference is ability to format the device for reset, but this is for the situation where you forget the password. Otherwise you would just brick it without recovery.

There is no way to protect against reset. If somebody really wants, they could even remove the NAND.
No answer to your question? How to write posts
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1065
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Protected RouterBOOT

Thu Feb 26, 2015 7:36 pm

Like I said, I cant think of a single device that can be completely locked down.
And I can't think of single bank which can't be stolen, coincidentally one was stolen two weeks ago in my town :). This doesn't mean that measures has to be taken.
How does password differ from Protected RouterBOOT setting?
The password I mentioned was about the neinstall, but you don't have to follow my idea, you surely can come up with a better one. For example, a pattern pressing the button, like a port knocking. Like 20s keeping it pressed, then 5s pause, then 10s pressed and so on.
I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people and as it stands now, unauthorized people can still access the routerboard by netinstall. All they need to do is a 5min read of the wiki and 5min test like I did.
-Toni-
Don't crash the ambulance, whatever you do
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Fri Mar 27, 2015 7:05 pm

I've been trying to figure out the actual purpose of protected-bootloader is, and I cannot yet figure it out.

First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.

Second, you can netinstall and reinstall mikrotik regardless of the protected-bootloader setting, without knowing the admin password, and without knowing the seconds setting. Simply hold the button until it flashes, and then netinstall. Easy. So, the purpose of protected-bootloader is not to stop netinstall from working.

So ... what is the purpose of protected-bootloader???
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Protected RouterBOOT

Fri Mar 27, 2015 7:45 pm

I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people
Yes, you understood it wrong. Protected RouterBOOT is for protecting configuration of your device (including all the sensitive data it may contain) from access by unauthorized persons, but not to protect the device itself.
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Protected RouterBOOT

Fri Mar 27, 2015 7:48 pm

First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.
You can boot anything using Netinstall, not just RouterOS installer. You can boot Linux there, login via ssh and read whatever is stored on the NAND chip. Protected RouterBOOT prevents that.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Fri Mar 27, 2015 8:03 pm

Ah, ok. Thank you.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Sat Mar 28, 2015 9:43 am

Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.
No answer to your question? How to write posts
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 7:39 pm

Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.

Actually, based on the other posts here, I think that people DO want a device that would have to be discarded if the password is lost.

I think it would be better for a device to be thrown away, rather than a competitor to end up using it. Theft deterrent.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 7:43 pm

Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.
Wrong. There ARE devices that are useless without a password. iPhones and iPads have a locking feature where ONLY the owner can unlock it. If someone else gets a hold of the device, other than the owner, it is impossible to use (unless the owner unlocks it first).

It's called "Activation Lock" or "Find My iPad". There is currently no known way to bypass this lock. There are many stories of buying these devices on eBay when the originally did not unlock it (or it was stolen and resold), where the purchaser had no way to use it.

So, not an exact comparision, but yes there are tech devices that can be completely locked down.
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 7:59 pm

where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.
You do not have the required permissions to view the files attached to this post.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:14 pm

where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.
You have to do it from the command line:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:18 pm

i already read the wiki. but i cant find it even in terminal. can u give me the command?
You do not have the required permissions to view the files attached to this post.
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:33 pm

i already read the wiki. but i cant find it even in terminal. can u give me the command?
Did you follow the instructions in the wiki, INCLUDING downloading and installing the required package?

http://www.mikrotik.com/download/share/ ... e_6_27.dpk
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 8:38 pm

no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sat Mar 28, 2015 9:08 pm

no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?
Correct, this package is required for it to work. Install it just like you would any upgrade package.
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Protected RouterBOOT

Sun Mar 29, 2015 12:43 am

If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Protected RouterBOOT

Sun Mar 29, 2015 12:59 am

If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?
I'd bet they could also keep it pressed for longer, just not shorter.

So the next guy, worst case scenario, will have to sit like an idiot for 5 minutes (300 seconds) pressing that button down, at least until a led starts flashing... If they're REALLY motivated to reuse your equipment, they might actually do it... or (if this becomes a common practice) create a rig that keeps the button pressed, until they manually pull it out of said rig, 5 minutes later.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Protected RouterBOOT

Sun Mar 29, 2015 1:06 am

Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Protected RouterBOOT

Sun Mar 29, 2015 1:15 am

Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.
Actually, you might be right... I was extrapolating from the fact a "normal" reset has a led flashing as an indicator, but I see no indication in the wiki that this would happen with a protected boot's reset.

But still... I'd guess you could keep the button pressed for longer, so if the next guy keeps it pressed for 5 minutes, they're guaranteed to reset it.

Alternatively, there may be some small window around the time (e.g. 5 seconds, maybe 10). I mean, there MUST be SOME sort of window, considering that even if you KNOW the exact number of seconds needed and you have a clock with you, you're unlikely to hit that exact second, and having the button accept 5 additional seconds would let you hold down the button for one or two more seconds, rather than "just barely making it".

If there's 5 second window, it means one has to check 59 possible 5 second intervals, which would in turn cover the remaining 235 settings. Admittedly, even 59 attempts is a little too many for a manual process like this one.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
jandafields
Forum Guru
Forum Guru
Posts: 1514
Joined: Mon Sep 19, 2005 6:12 pm

Re: Protected RouterBOOT

Sun Mar 29, 2015 2:18 am

Yes, the light flashes when the correct number of seconds has been reached. The "seconds" is really not a security measure at all, I don't know why they make it adjustable since the light flashes anyway.
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Sun Mar 29, 2015 9:14 am

I see this function to be rather useless complication than anything I would like to install to my devices...
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sun Mar 29, 2015 11:34 am

apples security "find my iphone" i think is one of the best for the moment. they lock the device to the owner. you format the device and it asks the last owner apple id so you can use it again. but this is right for devices that can be stolen, eg mobiles.

if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re:

Sun Mar 29, 2015 3:29 pm

I see this function to be rather useless complication than anything I would like to install to my devices...
Other people's mileage may vary. I see Protected RouterBOOT as another important step towards corporate market, where it us mandatory, for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment.

Cisco ASA, for instance, has similar feature: "no service password-recovery".
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Re:

Sun Mar 29, 2015 3:43 pm

for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Re:

Sun Mar 29, 2015 4:02 pm

for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.
no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.
No answer to your question? How to write posts
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Re:

Sun Mar 29, 2015 4:51 pm

no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.
Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Re:

Sun Mar 29, 2015 5:15 pm

Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
No. Even with "boot-device=nand-only" you can force network boot with reset button.
 
User avatar
boen_robot
Forum Guru
Forum Guru
Posts: 2411
Joined: Thu Aug 31, 2006 4:43 pm
Location: europe://Bulgaria/Plovdiv

Re: Protected RouterBOOT

Sun Mar 29, 2015 5:35 pm

Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
No. Even with "boot-device=nand-only" you can force network boot with reset button.
Oh. I see... it all makes sense now.
PEAR2_Net_RouterOS(1.0.0b6) - My API client in PHP
(Rate my posts? If you want... no pressure...)
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: Protected RouterBOOT

Sun Mar 29, 2015 9:50 pm

if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!
I doubt it. Mikrotik can't be blamed for your IT not giving you the password they've set on your kit.
To cite another example, the recovery procedure for a lost password on a Mobotix IP camera is to send it back to the factory in Germany, and that particular feature can't be turned off :-)
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Sun Aug 02, 2015 11:21 am

i just installed the pack on a 911 board and as per log it was installed
but in routerboard>settings i am unable to find any option to enable it

an any one guide me with the exact command / process

Thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Mon Aug 03, 2015 9:36 am

No answer to your question? How to write posts
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Mon Aug 03, 2015 10:37 am

i am not getting the options after i have installed the packege
thats why i am asking here
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Mon Aug 03, 2015 10:47 am

i am not getting the options after i have installed the packege
thats why i am asking here
did you check the log, after installing the package? it usually gives reason what failed. maybe your device is too old. it will say in the log. try to upload and reboot once more, then check log

package: http://www.mikrotik.com/download/share/ ... e_6_27.dpk
No answer to your question? How to write posts
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Mon Aug 03, 2015 11:04 am

As per log it was installed
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Tue Aug 04, 2015 4:07 pm

Please reply why i am not getting the options
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Thu Aug 06, 2015 7:39 am

Please someone reply why i am not getting the options
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: Protected RouterBOOT

Thu Aug 06, 2015 1:18 pm

Please someone reply why i am not getting the options
Write to support[at]mikrotik.com asking this same question. This is a user forum, and I believe protected RouterBOOT is not a widely used option.
 
longerCZ
just joined
Posts: 13
Joined: Thu Aug 22, 2013 2:12 pm

Re: Protected RouterBOOT

Mon Sep 07, 2015 7:55 pm

Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Tue Sep 08, 2015 1:04 pm

Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!
Just like manual explains, it will erase the NAND in a secure way, and essentially Brick the device. So what you see is as it should be.

See last option, the one that says EXTREMELY DANGEROUS:

http://wiki.mikrotik.com/wiki/Manual:Ro ... D_settings
No answer to your question? How to write posts
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Protected RouterBOOT

Tue Sep 08, 2015 7:38 pm

Probably my english is really bad, but I can't understand the manual page.

.. So..

If I press reset for "reformat-hold-button" seconds the board erase (deep mode) all and I can netinstall a fresh new install.

If I press for more seconds than "reformat-hold-button", the device is unrecoverabily bricked ?

If yes, which is the tolerance windows (seconds) of reformat-hold-button ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Wed Sep 09, 2015 10:14 am

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
No answer to your question? How to write posts
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Protected RouterBOOT

Wed Sep 09, 2015 10:44 am

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
Perfect, now it's clear. Thanks.
 
longerCZ
just joined
Posts: 13
Joined: Thu Aug 22, 2013 2:12 pm

Re: Protected RouterBOOT

Mon Sep 14, 2015 2:28 pm

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?

I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s

When i just boot the device without RESET button, it's eth ports blinks randomly. If I use previous steps, it acts normaly (all eth ports are off, only connected one is on). The thing is that it doesn't appear in the list of NetInstall. When I use another working device it show in the list normally, so PC's configuration seems to be OK.

Device is still bricked. Any help?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Mon Sep 14, 2015 2:33 pm

Did you connec the PC to the Ether1 port of the router ?
-RB941-2nD is powered on with pushed RESET button for approx 15s
keep holding the button longer, until you see the device in Netinstall

also make sure PC has no firewall or antivirus that could be blocking Netinstall. Also you can try to right-click it and "Run as administrator"
No answer to your question? How to write posts
 
User avatar
bajodel
Long time Member
Long time Member
Posts: 545
Joined: Sun Nov 24, 2013 8:30 am
Location: Italy

Re: Protected RouterBOOT

Mon Sep 14, 2015 3:25 pm

..[CUT]..
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?

I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s

..[CUT]..
Device is still bricked. Any help?
The routerboard should be connected on ether1 (normally ..read manual for specific device).
 
longerCZ
just joined
Posts: 13
Joined: Thu Aug 22, 2013 2:12 pm

Re: Protected RouterBOOT

Mon Sep 14, 2015 7:21 pm

Did you connec the PC to the Ether1 port of the router ?
-RB941-2nD is powered on with pushed RESET button for approx 15s
keep holding the button longer, until you see the device in Netinstall

also make sure PC has no firewall or antivirus that could be blocking Netinstall. Also you can try to right-click it and "Run as administrator"
I have tried holding RESET button for over 8 minutes and it didn't appear. The device is connected to ether1, I have also tried ether2. NetInstall is running on WinXP machine specially dedicated to these jobs. It's not connected to the Internet, doesn't have firewall enabled and no AV installed. There is only account - Administrator. All files are up to date as they are recently published on mikrotik.com.

Now I think the device is bricked if the RESET button doesn't need to be held for 1 hour or so...
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: Protected RouterBOOT

Sun Dec 06, 2015 7:30 pm

so what happened at last? was the device bricked?
 
longerCZ
just joined
Posts: 13
Joined: Thu Aug 22, 2013 2:12 pm

Re: Protected RouterBOOT

Sun Dec 06, 2015 9:40 pm

so what happened at last? was the device bricked?
yes, bricked, changed on warranty...
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Protected RouterBOOT

Sun Dec 06, 2015 9:58 pm

This was random i imagine. It shouldnt happen right?
 
longerCZ
just joined
Posts: 13
Joined: Thu Aug 22, 2013 2:12 pm

Re: Protected RouterBOOT

Mon Dec 07, 2015 12:21 pm

This was random i imagine. It shouldnt happen right?
It shouldn't but I am pretty sure that this will happen with every board. We just need to hope that noone will have the great idea of holding the reset button for 5 minutes. :-)
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Sun Dec 27, 2015 1:55 pm

what do you think about this idea
for Level 3 Device (mostly used for CPE) make an option that till device is activated by connecting to internet features like bridge and NAT will not work
this will force users to activate it after reset and for activation it should query Mikrotik Account id and there you can setup some ownership think like if i purchase a device then the Sl number will be mapped under my mikrotik id and i can only unlock it
when i sell it someone there should be option to transfer ownership from the online Mikrotik panel

by doing this user will be forced to ask us to unlock the device before they switch provider (after all we are providing CPE to users at a very much discounted rate or even free some times)
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Sun Dec 27, 2015 3:02 pm

Is there anyone having problems with stealing your equipment? Do you think that not informed thief will not steal your devices if it will be blocked somehow? Do you believe that informed thief will return back your blocked device? My opinion is that this feature is just another artificial source of future potential problems and generally for nothing.
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Sun Dec 27, 2015 3:14 pm

see i am not trying to preveny cpe from being stolen
but think from a customer view he and other providers will also know that cpe can not be used with other network unless we allow it
so they will have to get a new cpe
why i am telling this is we are giving free sxt with connection and customer take connection from us and after 1 Month instead of paying us they approch other provider to give connection on cpe and not to charge any installation cost

so we are the ultimate looser
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Sun Dec 27, 2015 5:13 pm

But you can take a deposit for some initial period from customer or make an agreement that you will invoice the costs under such conditions...
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Sun Dec 27, 2015 5:26 pm

Make agreement then go to court for such small amount
even lawer will charge more than the cost of cpe
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Sun Dec 27, 2015 5:32 pm

... Deposit...
 
User avatar
Caci99
Forum Guru
Forum Guru
Posts: 1065
Joined: Wed Feb 21, 2007 2:26 pm
Location: Tirane
Contact:

Re: Protected RouterBOOT

Mon Dec 28, 2015 12:35 pm

I have wrote it before, but I will repeat it. The situation is as @kgninfos describes it. You give CPE for free to new customer (or whatever deal you are offering), than competition arrives and offers him a better deal using the CPE. Customer is unaware of what is behind, he is just looking for the better deal. It is not possible to go to court or use of whatever other legal instrument in countries like mine.
If the access to the board is blocked, the competition will not be able to give the service, even if he will try. So without the CPE he will need to change the offer or just step back. Sooner or later the situation described will not be possible anymore. Everyone will have to offer the deals with their own equipment. A lot of my customers who are small WISP themselves have asked for such a feature for long time.
-Toni-
Don't crash the ambulance, whatever you do
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Protected RouterBOOT

Mon Dec 28, 2015 9:06 pm

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Tue Dec 29, 2015 10:38 am

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)
please report a bug to mikrotik
No answer to your question? How to write posts
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Protected RouterBOOT

Tue Dec 29, 2015 10:14 pm

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)
please report a bug to mikrotik
how i can report bugs to mikrotik?
 
troffasky
Member
Member
Posts: 399
Joined: Wed Mar 26, 2014 4:37 pm

Re: Protected RouterBOOT

Wed Dec 30, 2015 12:43 am

Email support.

But really, economic problem won't be fixed with technical workarounds. If you aren't charging enough to cover your costs, Mikrotik cannot fix this for you.
 
kgninfos
Member
Member
Posts: 387
Joined: Thu Jun 21, 2012 7:34 pm
Location: Earth
Contact:

Re: Protected RouterBOOT

Wed Dec 30, 2015 7:08 am

i guess you have not got a competitor or very rich people are there who are paying

think why apple is giving device lock when we all know apple phones are costly and their owner can afford a new phone
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Wed Dec 30, 2015 8:36 am

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)
please report a bug to mikrotik
how i can report bugs to mikrotik?
email support@mikrotik.com
No answer to your question? How to write posts
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Wed Dec 30, 2015 8:39 am

This feature is not to prevent something from being stolen. It is to protect your data. The feature allows to block device from using network boot to access your data without password. By using protected routerboot, a forgotten password will mean to nullify your NAND, then Netinstall. This way, if somebody steals your device, your config and passwords are safe.
No answer to your question? How to write posts
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: Protected RouterBOOT

Thu Dec 31, 2015 1:18 am

hardwired anti-thieft tech - also can be implemented in firmware, just like in notebooks, but i hope it was never happen, because its exploitable(and usually by random 3rd-parties)as hell and cause more damage than save money.
 
skyhawk
just joined
Posts: 20
Joined: Thu Jan 14, 2016 10:27 am

Re: Protected RouterBOOT

Mon Jan 18, 2016 2:48 pm

My test-bench RB941-2nD cannot enter protected-bootloader mode. Upon factory reset the bootloader reverts to 3.19, which I'm guessing is the backup bootloader?

Can I ask for a protected-bootloader-install package for smips? the -mipsbe one refuses to install.

RouterOS 6.33.5, /system routerboard shows current firmware is 3.29
protected-bootloader doesn't appear anywhere under /system routerboard or /system routerboard settings.
 
User avatar
PaulsMT
MikroTik Support
MikroTik Support
Posts: 283
Joined: Tue Feb 10, 2015 3:21 pm

Re: Protected RouterBOOT

Mon Jan 18, 2016 4:05 pm

To enable protected RouterBOOT, you have to update board backup BIOS to v3.24.

This backup BIOS package can be downloaded here:
http://www.mikrotik.com/download/share/ ... mipsbe.dpk

More info here:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

Enable protected RouterBOOT under:
/system routerboard settings set
 
skyhawk
just joined
Posts: 20
Joined: Thu Jan 14, 2016 10:27 am

Re: Protected RouterBOOT

Tue Jan 19, 2016 3:44 am

Thanks PaulsMT, but I need an install package for smips...
jan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk 
13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips 
13:36:09 system,info router rebooted 

[admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled 
echo: system,info,critical Current RouterBOOT does not support this feature
 
User avatar
PaulsMT
MikroTik Support
MikroTik Support
Posts: 283
Joined: Tue Feb 10, 2015 3:21 pm

Re: Protected RouterBOOT

Thu Jan 21, 2016 11:39 am

Thanks PaulsMT, but I need an install package for smips...
jan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk 
13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips 
13:36:09 system,info router rebooted 

[admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled 
echo: system,info,critical Current RouterBOOT does not support this feature

Thank you for reporting us, we have just added missing package for smips. You can download it here:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

Press link for smips platform to download file.
 
soueidan
just joined
Posts: 7
Joined: Sun Nov 25, 2012 9:49 pm

Re: Protected RouterBOOT

Mon Feb 29, 2016 5:26 pm

Hello All,

As it is mentioned in the wiki " The backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory."

However, what is the way to upgrade the backup RouterBOOT ?

Simply draging the file into files section and rebooting is not working!

Is there a special way to do so?

Looking forward for replies.

Thanks in advance.
 
User avatar
PaulsMT
MikroTik Support
MikroTik Support
Posts: 283
Joined: Tue Feb 10, 2015 3:21 pm

Re: Protected RouterBOOT

Tue Mar 22, 2016 2:32 pm

Hello All,

As it is mentioned in the wiki " The backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory."

However, what is the way to upgrade the backup RouterBOOT ?

Simply draging the file into files section and rebooting is not working!

Is there a special way to do so?

Looking forward for replies.

Thanks in advance.
1. Make sure your RouterOS is not very old - for Tile and Smips at least 6.33, for mipsbe 6.29.1
2. drag & drop DPK update file for your architecture:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader
3. Reboot.

You should see update information in the log output (/log print)
 
skyhawk
just joined
Posts: 20
Joined: Thu Jan 14, 2016 10:27 am

Re: Protected RouterBOOT

Sat Jun 11, 2016 8:28 am

05:16:31 system,info verified protected_routerboot_v3_29_enable_6_33_smips.dpk 
05:16:32 system,info installed protected-router-6.33 
05:16:32 system,info FAILED to enable protected RouterBOOT: wrong running booter version 

             model: RouterBOARD 941-2nD
     serial-number: <...>
     firmware-type: qca9531L
  factory-firmware: 3.19
  current-firmware: 3.33
  upgrade-firmware: 3.33

                   uptime: 8m43s
                  version: 6.35.2 (stable)
               build-time: May/02/2016 10:09:26
<....>
        architecture-name: smips
               board-name: hAP lite
                 platform: MikroTik

Any chance for an updated protected-router package for smips?
 
ofca
Member Candidate
Member Candidate
Posts: 190
Joined: Fri Aug 20, 2004 7:18 pm

Re: Protected RouterBOOT

Sat Oct 01, 2016 3:22 am

I'm having the same problem as above.
 
Nord
just joined
Posts: 1
Joined: Fri Oct 21, 2016 11:06 am

Re: Protected RouterBOOT

Fri Oct 21, 2016 11:10 am

I'm having the same problem as above.

[admin@Aseev_SV] /system routerboard settings> set protected-routerboot=enabled
echo: system,info,critical Current RouterBOOT does not support this feature
[admin@Aseev_SV] /system routerboard settings> pri
;;; Current RouterBOOT does not support this feature
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 600MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
[admin@Aseev_SV] /system routerboard settings> ..
[admin@Aseev_SV] /system routerboard> print
;;; Current RouterBOOT does not support this feature
routerboard: yes
model: SXT 5nD r2
serial-number: 522304A494DE
firmware-type: ar9344
factory-firmware: 3.22
current-firmware: 3.33
upgrade-firmware: 3.33
[admin@Aseev_SV] /system routerboard> print
;;; Current RouterBOOT does not support this feature
routerboard: yes
model: SXT 5nD r2
serial-number: 522304A494DE
firmware-type: ar9344
factory-firmware: 3.22
current-firmware: 3.33
upgrade-firmware: 3.33
 
agnostic
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Fri Mar 21, 2014 8:23 pm

Re: Protected RouterBOOT

Fri Oct 21, 2016 6:09 pm

why want a device that is impossible to reset to some standard and known settings? in case something goes bad you will have a dead router. it is prefered the router to work even in another provider. if you want to be ok to the idea that a client maybe use the device with other provider then charge them for it and then just protect your setting and passwords with this feature.
 
kadhim09
newbie
Posts: 38
Joined: Sat Oct 29, 2016 10:11 am
Location: iraq/samawa

Re: Protected RouterBOOT

Sat Nov 05, 2016 7:21 pm

older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported

so can i use bootloader in sxt ligth
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Sat Jan 28, 2017 3:01 pm

WARNING: DOING IT IS AT ALL YOUR RISK!!!

I can't test all model, but if I find one problem, I report that here.

IF YOUR HARDWARE HAVE MAJOR VERSION OF RESPECTIVE FACTORY BOOT, DO NOTHING!!!
You can see Factory Firmware version from RouterOS 6.34rc45 with "/system routerboard print" command

Actually the 5 files on
http://wiki.mikrotik.com/wiki/Manual:Ro ... D_settings
are:
https://www.mikrotik.com/download/share ... mipsbe.dpk
https://www.mikrotik.com/download/share ... _smips.dpk
https://www.mikrotik.com/download/share ... _mmips.dpk
https://www.mikrotik.com/download/share ... 0_tile.dpk
https://box.mikrotik.com/f/313edb5d0e2f479b8aba/?dl=1 ( Universal 6.43.7 enable for 6.43.x RouterOS )

Those Factory RouterBOOT are ALSO a replacement for previous bugged Factory RouterBOOT!!!

DO NOT UPGRADE DISTANT HARDWARE, SOMETIME (in case of error) MANUAL REBOOT IS NEEDED!!!
I HAVE WARNED YOU...


Before the use:
Check RouterOS version, only 6.40.9 and 6.43.7 "support all hardware supported" (previous versions sometime do not rightly recognize RB also if supported) for upgrade factory bios (for now with the mikrotik's files provided)
You must chose the right file for the RouterBOARD architecture.

UNSUPPORTED:
arm all [AL2(L), DX3230(L), IPQ8060, IPQ4000(L), ...]
mipsle all [adm5120, ar2316, rc32434, ...]
powerpc all [amcc460, mpc8323, mpc8343, mpc8544, mpc8548, p1023, p2020, ...]
EDIT: 6.43.7 contains powerpc [only mpc8544, p1023, p2020] BIOS, but I not have actually tested if work
x86 all [RB230 wlb, ...]
and obviously any SwOS / SwitchOS only board.

The ONLY architecture supported are mipsbe, smips, mmips and tile!!!
EDIT: 6.43.7 contains powerpc [only mpc8544, p1023, p2020], but I not have actually tested if work

EDIT: MikroTik actually do not publish single 6.43.7 BIOS files, use RouterOS 6.43.7 for update the current bios to the right version for upgrade.

the file for tile supports:
tilegx (3.41 http://i.mt.lv/routerboard/files/tilegx_3.41.fwf )

the file for mmips supports:
mt7621L (3.41 http://i.mt.lv/routerboard/files/mt7621L_3.41.fwf )
the mmips mt7621 (without "L") if exist, is UNSUPPORTED

the file for smips supports:
qca9531L (3.41 http://i.mt.lv/routerboard/files/qca9531L_3.41.fwf )
the smimps qca9531 (without "L") if exist, is UNSUPPORTED

the file for mipsbe supports:
ar7100 (3.41 http://i.mt.lv/routerboard/files/ar7100_3.41.fwf ) some old models still unsupported, i do not have one precise list
ar9330 (3.41 http://i.mt.lv/routerboard/files/ar9330_3.41.fwf )
ar9330L (3.41 http://i.mt.lv/routerboard/files/ar9330L_3.41.fwf )
ar9340 (3.41 http://i.mt.lv/routerboard/files/ar9340_3.41.fwf )
ar9340L (3.41 http://i.mt.lv/routerboard/files/ar9340L_3.41.fwf )
ar9344 (3.41 http://i.mt.lv/routerboard/files/ar9344_3.41.fwf )
ar9344L (3.41 http://i.mt.lv/routerboard/files/ar9344L_3.41.fwf )
qca8513 (3.41 http://i.mt.lv/routerboard/files/qca8513_3.41.fwf )
qca8513L (3.41 http://i.mt.lv/routerboard/files/qca8513L_3.41.fwf )

qca8719 (without "L") if exist, is UNSUPPORTED
qca8719L (3.41 http://i.mt.lv/routerboard/files/qca8719L_3.41.fwf )
qca9531 (without "L") if exist, is UNSUPPORTED
qca9531L (3.41 http://i.mt.lv/routerboard/files/qca9531L_3.41.fwf )
qca9550 (3.41 http://i.mt.lv/routerboard/files/qca9550_3.41.fwf )
qca9550L (3.41 http://i.mt.lv/routerboard/files/qca9550L_3.41.fwf )

the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).

The single file update the Factory RouterBOOT with same version on is name and require before upgrade the same bios on filename as current firmware (active and booted):

https://www.mikrotik.com/download/share ... 0_tile.dpk
Before the update the tile must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... _smips.dpk
Before the update the smips must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... _mmips.dpk
Before the update the mmips must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... mipsbe.dpk
Before the update the mipsbe must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

*** START EDIT ***
https://box.mikrotik.com/f/313edb5d0e2f479b8aba/?dl=1 ( Universal 6.43.7 enable for 6.43.x RouterOS )
For use "Universal" factory boot update, RouterOS must be 6.43.7, current bios must be 6.43.7 from boot (not just updated).
*** END EDIT ***

After the update of Factory RouterBOOT with support for protected-routerboot, you can upgrade again the current bios to the latest version present on future version of RouterOS.

I hope all is clear now for all.
Last edited by rextended on Mon Jan 07, 2019 6:33 pm, edited 59 times in total.
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Sat Jan 28, 2017 3:08 pm

I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Sat Jan 28, 2017 3:09 pm

I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Sat Jan 28, 2017 3:17 pm

why want a device that is impossible to reset to some standard and known settings? in case something goes bad you will have a dead router. it is prefered the router to work even in another provider. if you want to be ok to the idea that a client maybe use the device with other provider then charge them for it and then just protect your setting and passwords with this feature.
My CPE are not sold to end user. If someone steals my CPE I not want than the thief also steals the "intellectual property", the passwords, etc.
At the end of the contracts the end user must give back the CPE.

The protected routerboot do not "protect" hardware but just the "intellectual property", the passwords, etc. inside the configuration.

If for some reason end user buy the CPE or other hardware, at the end of contract the routerboard is still fully usable, but the end user must clean all "intellectual property", the passwords, etc., after use it, because the user do not pay me for it's rent.
I'm Italian, not English. Sorry for my imperfect grammar.
 
Mazutti
newbie
Posts: 27
Joined: Sat Jun 21, 2014 4:12 am

Re: Protected RouterBOOT

Sun Apr 16, 2017 7:42 pm

So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.


Thanks in advance.

Mazutti
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Tue Apr 18, 2017 3:24 pm

So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.


Thanks in advance.

Mazutti
fixed, use 6.40.7
viewtopic.php?f=2&t=94303&p=580430#p580430
Last edited by rextended on Tue Apr 10, 2018 3:43 am, edited 1 time in total.
I'm Italian, not English. Sorry for my imperfect grammar.
 
Mazutti
newbie
Posts: 27
Joined: Sat Jun 21, 2014 4:12 am

Re: Protected RouterBOOT

Wed Apr 19, 2017 10:04 pm

So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.


Thanks in advance.

Mazutti
I try the same with one 922UAGS-5HPacD with same error code 14 with 6.38.5

Downgraded to 6.37.5 for update and is working as expected

Is like the protected routerboot upgrade is stopping work on 6.38(.5)???
Makes sense, since both of my devices are on 6.38.5. Tested downgrading the mAP-2n to 6.37.5 and doing the procedure again and now protected routerboot is enabled. Will do the same on RB951G and report back.

Thanks again.


Mazutti
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Fri Apr 21, 2017 12:59 pm

It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
/system routerboard settings set protected-routerboot=enabled
No answer to your question? How to write posts
 
Mazutti
newbie
Posts: 27
Joined: Sat Jun 21, 2014 4:12 am

Re: Protected RouterBOOT

Fri Apr 21, 2017 2:55 pm

It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
/system routerboard settings set protected-routerboot=enabled
Normis,

Yes, I followed the procedure rextended described above. RB951G also has been upgraded successfully after going back to 6.37.5, downgrading the firmware to 3.24, and then applying the mipsbe .dpk file. Message from a RB2011, if I try to apply the code you mentioned, on 6.38.5 is that "Current RouterBOOT does not support this feature.", and that is one of the last RB I have that yet doesn´t support protected routerboot. If that error is not intended and you want access to or more information from the RB2011, just let me know, would be glad to help.

Thanks in advance.


Mazutti
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Thu Apr 27, 2017 6:03 pm

It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
/system routerboard settings set protected-routerboot=enabled
Normis,

Yes, I followed the procedure rextended described above. RB951G also has been upgraded successfully after going back to 6.37.5, downgrading the firmware to 3.24, and then applying the mipsbe .dpk file. Message from a RB2011, if I try to apply the code you mentioned, on 6.38.5 is that "Current RouterBOOT does not support this feature.", and that is one of the last RB I have that yet doesn´t support protected routerboot. If that error is not intended and you want access to or more information from the RB2011, just let me know, would be glad to help.

Thanks in advance.


Mazutti

I have updated the guide.

viewtopic.php?f=2&t=94303&p=580430#p580430

Thanks for feedback.
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Thu Aug 10, 2017 2:32 pm

viewtopic.php?f=2&t=94303&p=580430#p580430

Updated for new 3.41 factory RouterBOOT
I'm Italian, not English. Sorry for my imperfect grammar.
 
irghost
Member Candidate
Member Candidate
Posts: 282
Joined: Sun Feb 21, 2016 1:49 pm

Re: Protected RouterBOOT

Thu Aug 10, 2017 7:19 pm


the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).
https://i.mt.lv/routerboard/files/ar7240_3.41.fwf
 /system routerboard> print 
       routerboard: yes
             model: RouterBOARD SXT LTE 3-7
     serial-number: ******************
     firmware-type: ar7240
  factory-firmware: 3.33
  current-firmware: 3.41
  upgrade-firmware: 3.41
Image
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Fri Aug 11, 2017 2:24 am


the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).
https://i.mt.lv/routerboard/files/ar7240_3.41.fwf
 /system routerboard> print 
       routerboard: yes
             model: RouterBOARD SXT LTE 3-7
     serial-number: ******************
     firmware-type: ar7240
  factory-firmware: 3.33
  current-firmware: 3.41
  upgrade-firmware: 3.41
Image
And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
I'm Italian, not English. Sorry for my imperfect grammar.
 
irghost
Member Candidate
Member Candidate
Posts: 282
Joined: Sun Feb 21, 2016 1:49 pm

Re: Protected RouterBOOT

Fri Aug 11, 2017 7:25 am


And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
you Just Said Unsupported
Which one ? Current or Factory?
When u Didn't add AR7240 Firmware file and said " Unsupported "
maybe someone thinks there is no 3.41 firmware for AR7240
I just added AR7240 Firmware For correction
MTCNA MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCINE
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Fri Aug 11, 2017 12:41 pm


And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
you Just Said Unsupported
Which one ? Current or Factory?
When u Didn't add AR7240 Firmware file and said " Unsupported "
maybe someone thinks there is no 3.41 firmware for AR7240
I just added AR7240 Firmware For correction
The file for upgrade the FACTORY firmware
https://www.mikrotik.com/download/share ... mipsbe.dpk
do NOT support ar7240.
I do not add the link for "CURRENT" firmware because this is not the point for this thread.
For Protected RouterBOOT the factory firmware MUST have the support for Protected RouterBOOT,
the CURRENT also must support Protected RouterBOOT, but is easily upgradable with standard .fwf files or with one embedded on routeros system package.
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Fri Aug 11, 2017 12:51 pm

Those files are only for upgrade CURRENT firmware.
Those file do not have the ability to modify the FACTORY firmware.

mipsbe (NEW, not present on actual RouterOS 6.40.x)
http://i.mt.lv/routerboard/files/ar7240_3.41.fwf

arm (all NEW, not presents on actual RouterOS 6.40.x)
http://i.mt.lv/routerboard/files/al2_3.42.fwf
http://i.mt.lv/routerboard/files/dx3230L_3.41.fwf
http://i.mt.lv/routerboard/files/ipq8060_3.41.fwf
http://i.mt.lv/routerboard/files/ipq4000L_3.41.fwf

smips (undocumented, not released on RouterOS)
http://i.mt.lv/routerboard/files/qca9531_3.36.3.fwf
warning: qca9531 and qca9531L do not are the same model!!!

powerpc (all this files are latest firmware already present on RouterOS 6.x)
http://i.mt.lv/routerboard/files/mpc8323_2.18.fwf
http://i.mt.lv/routerboard/files/mpc8343_2.27.fwf
http://i.mt.lv/routerboard/files/mpc8548_2.30.fwf
http://i.mt.lv/routerboard/files/amcc460_3.10.fwf
http://i.mt.lv/routerboard/files/mpc8544_3.24.fwf
http://i.mt.lv/routerboard/files/p1023_3.24.fwf
http://i.mt.lv/routerboard/files/p2020_3.24.fwf

x86 RB230 (this file is latest firmware already present on RouterOS)
wlb-bios_1.3.8.fwf (i do not have valid direct link, but is embedded on all 5.x and 6.x RouterOS x86)
Last edited by rextended on Tue Apr 10, 2018 3:47 am, edited 4 times in total.
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Fri Aug 11, 2017 3:08 pm

post deleted:
fixed on 6.40.7
Last edited by rextended on Tue Apr 10, 2018 3:48 am, edited 1 time in total.
I'm Italian, not English. Sorry for my imperfect grammar.
 
feris
just joined
Posts: 12
Joined: Tue May 16, 2017 3:58 pm

Re: Protected RouterBOOT

Fri Mar 09, 2018 10:05 am

Hello
I think there is a problem with upgrade on ROS 6.41.
I can upgrade current RouterBOOT firmware to 3.41 using .fwf file with no problem.
Upgrade of factory RouterBOOT using .dpk file also works fine according to log output ( verified&installed) but /system routerboard still show old version of factory.
I've seen it on RB951G-2HnD and wAP ac.
Best Regards
 
CoMMyz
just joined
Posts: 24
Joined: Fri Dec 04, 2015 10:56 pm

Re: Protected RouterBOOT

Tue Apr 03, 2018 2:58 pm

Any update for files on 6.41?

Thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Tue Apr 10, 2018 3:35 am

Any update for files on 6.41?

Thanks
Downgrade RouterOS to 6.40.7 "bugfix" and follow my guide:
viewtopic.php?f=2&t=94303&p=580430#p580430
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Tue Apr 10, 2018 3:36 am

Hello
I think there is a problem with upgrade on ROS 6.41.
I can upgrade current RouterBOOT firmware to 3.41 using .fwf file with no problem.
Upgrade of factory RouterBOOT using .dpk file also works fine according to log output ( verified&installed) but /system routerboard still show old version of factory.
I've seen it on RB951G-2HnD and wAP ac.
Best Regards

RoterOS 6.41+ actually is unsupported for upgrade factory firmware

Downgrade RouterOS to 6.40.7 "bugfix" and follow my guide:
viewtopic.php?f=2&t=94303&p=580430#p580430
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
DmitryAVET
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Thu Mar 26, 2015 12:27 am
Location: Ukraine, Mukachevo
Contact:

Re: Protected RouterBOOT

Mon Jul 30, 2018 10:33 am

rextended, thaks a lot for files!

I maked manual for russian clients, based on your info
https://weblance.com.ua/388-funkciya-pr ... rotik.html
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Sun Aug 05, 2018 1:58 pm

rextended, thaks a lot for files!

I maked manual for russian clients, based on your info
https://weblance.com.ua/388-funkciya-pr ... rotik.html
:o
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
shahbazian
Trainer
Trainer
Posts: 166
Joined: Fri Sep 09, 2011 6:22 pm
Location: Iran
Contact:

Re: Protected RouterBOOT

Thu Dec 13, 2018 1:34 am

How to upgrade factory firmware (RouterBOOT)?

I have some old RouterBOARDs with older version of RouterBOOT. I need enable Protected RouterBOOT on that, but it is impossible because the factory firmware is older than 3.24.
How to upgrade that?
Learn MikroTik to improve your network.
( MTCNA, MTCRE, MTCWE, MTCTCE, MTCUME, MTCIPv6E, MTCINE )
MikroTik Certified Trainer & Consultant
RIPE NCC Trainer
 
Guntis
MikroTik Support
MikroTik Support
Posts: 38
Joined: Fri Jul 20, 2018 1:40 pm

Re: Protected RouterBOOT

Thu Dec 13, 2018 7:54 am

How to upgrade factory firmware (RouterBOOT)?
To upgrade factory firmware you need to use special package that can be found here:
https://wiki.mikrotik.com/wiki/Manual:R ... bootloader

We will soon add newer version packages on that page.
 
onnoossendrijver
Member
Member
Posts: 418
Joined: Mon Jul 14, 2008 11:10 am
Location: The Netherlands

Re: Protected RouterBOOT

Thu Dec 20, 2018 12:38 pm

The link to the universal package is not working: File does not exist.
Can you fix the link?
Linux/network engineer: ITIL, LPI1, CCNA R+S, CCNP R+S, JNCIA, JNCIS-SEC
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24334
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Protected RouterBOOT

Thu Dec 20, 2018 1:20 pm

The link to the universal package is not working: File does not exist.
Can you fix the link?
Link fixed
No answer to your question? How to write posts
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: Protected RouterBOOT

Mon Jan 07, 2019 6:29 pm

How to upgrade factory firmware (RouterBOOT)?

I have some old RouterBOARDs with older version of RouterBOOT. I need enable Protected RouterBOOT on that, but it is impossible because the factory firmware is older than 3.24.
How to upgrade that?
Please read the instructions here:
viewtopic.php?f=2&t=94303&p=580430#p580430
updated for "Universal" use.
I'm Italian, not English. Sorry for my imperfect grammar.
 
alex3712
just joined
Posts: 1
Joined: Sat Jan 12, 2019 4:08 am

Re: Protected RouterBOOT

Sat Jan 12, 2019 4:16 am

Hello, there are some solutions for the mipsbe ar7240 factory-firmware upgrade to at least 3.33
 
CoMMyz
just joined
Posts: 24
Joined: Fri Dec 04, 2015 10:56 pm

Re: Protected RouterBOOT

Sat Jan 26, 2019 1:12 pm

Can someone please from MikroTik update the wiki link for 6.43.8 Universal?
It is currently for 6.43.7 - i hate downgrading just for this.

Thank you

@normis
 
Keyko
newbie
Posts: 26
Joined: Sat Dec 23, 2017 6:27 pm

Re: Protected RouterBOOT

Tue Feb 05, 2019 7:15 pm

Any updates? Maby make auto update routerboot firmware with ROS??
 
Keyko
newbie
Posts: 26
Joined: Sat Dec 23, 2017 6:27 pm

Re: Protected RouterBOOT

Thu Feb 28, 2019 4:26 pm

Any updates? Maby make auto update routerboot firmware with ROS??
 
Keyko
newbie
Posts: 26
Joined: Sat Dec 23, 2017 6:27 pm

Re: Protected RouterBOOT

Sat Apr 13, 2019 11:34 am

Can anyone answer - will there be a Universal 6.43.7 enable for 6.43.x RouterOS update for all platforms? Should I install it and is there a changelog ???
 
rw3aui
just joined
Posts: 2
Joined: Fri Sep 27, 2019 6:26 pm

Re: Protected RouterBOOT

Fri Sep 27, 2019 6:34 pm

Good day, where i can find bin file for programmer, I brake flash.

Who is online

Users browsing this forum: No registered users and 89 guests