Protected RouterBOOT

kmailz · Sun Feb 22, 2015 10:44 pm

Hi all,
I found new protected-routerboot setting in Wiki. Sounds too good to be true so I've installed update package for backup RouterBOOT. Do everything as written in Wiki.. And result? Nothing, still was able to boot into netinstall mode.
It takes me two days of fun to found that my RB is not supported.

rb_log.jpg

RB 750
ROS 6.27
RB FW: 3.22

There's coming question: will be 750 supported?

And please specify supported models in Wiki.

Thanks

Mon Feb 23, 2015 12:35 pm

older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported

kmailz · Mon Feb 23, 2015 9:47 pm

Okay thanks.

from wiki:

Newer devices will have this new backup loader already installed in factory

Will be this applied to older devices like RB750?

Caci99 · Wed Feb 25, 2015 11:24 pm

This is a good feature but not as I would have expected it to act yet. It is a good first step to protect the routerboards which are installed into the open.

My main concern is about SXT Lite. What actually happens, is that a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT. Keep in mind that SXT is generally offered free of charge to the customer, so there is one lost. Time after time this is a considerable loss. I have even asked support long time ago if there was anyway to stop others from steeling routerboards installed at open by resetting or netinstall-ing them. But there was no way to protect a routerboard from netinstall.

This new method is a good step at protecting the routerboards, but still one can netinstall by holding the reset button for the given time. I just tested it on a SXT, and the SXT even flashes after the time is reached, indicating that the button can be released and it enters into netistall.

My suggestion would be, is it possible to add a password to protect the routerboard from netinstall? A password which will prompt at the netinstall window? This is a better way to protect it.
I am glad that this issue has been addressed since it is a serious one, but I think it needs to be better than as it is now at this stage.

marrold · Wed Feb 25, 2015 11:57 pm

a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT

This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.

Caci99 · Thu Feb 26, 2015 12:13 am

This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.

Oh well, so nothing to do about it, right? What about routerboards on towers and masts out in the open? Are you going to pay guards who's salary exceeds the value of the devices? And it depends on the country where you live. Here where I am, half of the customers don't want contracts, if you talk about contracts they look at you as if you are talking alien. I am talking things that do happen in real life not about hypothetical situations.
As I said, it is a good thing MikroTik introduced this feature, it only needs to be better.

marrold · Thu Feb 26, 2015 9:51 am

Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.

In the ideal world, how would Protected RouterBOOT work for you?

Thu Feb 26, 2015 12:06 pm

How does password differ from Protected RouterBOOT setting?

The only difference is ability to format the device for reset, but this is for the situation where you forget the password. Otherwise you would just brick it without recovery.

There is no way to protect against reset. If somebody really wants, they could even remove the NAND.

Caci99 · Thu Feb 26, 2015 7:36 pm

Like I said, I cant think of a single device that can be completely locked down.

And I can't think of single bank which can't be stolen, coincidentally one was stolen two weeks ago in my town

. This doesn't mean that measures has to be taken.

How does password differ from Protected RouterBOOT setting?

The password I mentioned was about the neinstall, but you don't have to follow my idea, you surely can come up with a better one. For example, a pattern pressing the button, like a port knocking. Like 20s keeping it pressed, then 5s pause, then 10s pressed and so on.
I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people and as it stands now, unauthorized people can still access the routerboard by netinstall. All they need to do is a 5min read of the wiki and 5min test like I did.

jandafields · Fri Mar 27, 2015 7:05 pm

I've been trying to figure out the actual purpose of protected-bootloader is, and I cannot yet figure it out.

First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.

Second, you can netinstall and reinstall mikrotik regardless of the protected-bootloader setting, without knowing the admin password, and without knowing the seconds setting. Simply hold the button until it flashes, and then netinstall. Easy. So, the purpose of protected-bootloader is not to stop netinstall from working.

So ... what is the purpose of protected-bootloader???

Fri Mar 27, 2015 7:45 pm

I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people

Yes, you understood it wrong. Protected RouterBOOT is for protecting configuration of your device (including all the sensitive data it may contain) from access by unauthorized persons, but not to protect the device itself.

Fri Mar 27, 2015 7:48 pm

First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.

You can boot anything using Netinstall, not just RouterOS installer. You can boot Linux there, login via ssh and read whatever is stored on the NAND chip. Protected RouterBOOT prevents that.

jandafields · Fri Mar 27, 2015 8:03 pm

Ah, ok. Thank you.

Sat Mar 28, 2015 9:43 am

Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.

jandafields · Sat Mar 28, 2015 7:39 pm

Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.

Actually, based on the other posts here, I think that people DO want a device that would have to be discarded if the password is lost.

I think it would be better for a device to be thrown away, rather than a competitor to end up using it. Theft deterrent.

jandafields · Sat Mar 28, 2015 7:43 pm

Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.

Wrong. There ARE devices that are useless without a password. iPhones and iPads have a locking feature where ONLY the owner can unlock it. If someone else gets a hold of the device, other than the owner, it is impossible to use (unless the owner unlocks it first).

It's called "Activation Lock" or "Find My iPad". There is currently no known way to bypass this lock. There are many stories of buying these devices on eBay when the originally did not unlock it (or it was stolen and resold), where the purchaser had no way to use it.

So, not an exact comparision, but yes there are tech devices that can be completely locked down.

freemannnn · Sat Mar 28, 2015 7:59 pm

where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.

jandafields · Sat Mar 28, 2015 8:14 pm

where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.

You have to do it from the command line:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

freemannnn · Sat Mar 28, 2015 8:18 pm

i already read the wiki. but i cant find it even in terminal. can u give me the command?

jandafields · Sat Mar 28, 2015 8:33 pm

i already read the wiki. but i cant find it even in terminal. can u give me the command?

Did you follow the instructions in the wiki, INCLUDING downloading and installing the required package?

http://www.mikrotik.com/download/share/ ... e_6_27.dpk

freemannnn · Sat Mar 28, 2015 8:38 pm

no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?

jandafields · Sat Mar 28, 2015 9:08 pm

no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?

Correct, this package is required for it to work. Install it just like you would any upgrade package.

freemannnn · Sun Mar 29, 2015 12:43 am

If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?

Sun Mar 29, 2015 12:59 am

If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?

I'd bet they could also keep it pressed for longer, just not shorter.

So the next guy, worst case scenario, will have to sit like an idiot for 5 minutes (300 seconds) pressing that button down, at least until a led starts flashing... If they're REALLY motivated to reuse your equipment, they might actually do it... or (if this becomes a common practice) create a rig that keeps the button pressed, until they manually pull it out of said rig, 5 minutes later.

freemannnn · Sun Mar 29, 2015 1:06 am

Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.

Sun Mar 29, 2015 1:15 am

Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.

Actually, you might be right... I was extrapolating from the fact a "normal" reset has a led flashing as an indicator, but I see no indication in the wiki that this would happen with a protected boot's reset.

But still... I'd guess you could keep the button pressed for longer, so if the next guy keeps it pressed for 5 minutes, they're guaranteed to reset it.

Alternatively, there may be some small window around the time (e.g. 5 seconds, maybe 10). I mean, there MUST be SOME sort of window, considering that even if you KNOW the exact number of seconds needed and you have a clock with you, you're unlikely to hit that exact second, and having the button accept 5 additional seconds would let you hold down the button for one or two more seconds, rather than "just barely making it".

If there's 5 second window, it means one has to check 59 possible 5 second intervals, which would in turn cover the remaining 235 settings. Admittedly, even 59 attempts is a little too many for a manual process like this one.

jandafields · Sun Mar 29, 2015 2:18 am

Yes, the light flashes when the correct number of seconds has been reached. The "seconds" is really not a security measure at all, I don't know why they make it adjustable since the light flashes anyway.

Sun Mar 29, 2015 9:14 am

I see this function to be rather useless complication than anything I would like to install to my devices...

freemannnn · Sun Mar 29, 2015 11:34 am

apples security "find my iphone" i think is one of the best for the moment. they lock the device to the owner. you format the device and it asks the last owner apple id so you can use it again. but this is right for devices that can be stolen, eg mobiles.

if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!

Sun Mar 29, 2015 3:29 pm

I see this function to be rather useless complication than anything I would like to install to my devices...

Other people's mileage may vary. I see Protected RouterBOOT as another important step towards corporate market, where it us mandatory, for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment.

Cisco ASA, for instance, has similar feature: "no service password-recovery".

Sun Mar 29, 2015 3:43 pm

for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment

You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.

Sun Mar 29, 2015 4:02 pm

for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.

no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.

Sun Mar 29, 2015 4:51 pm

no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.

Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".

Sun Mar 29, 2015 5:15 pm

Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".

No. Even with "boot-device=nand-only" you can force network boot with reset button.

Sun Mar 29, 2015 5:35 pm

Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
No. Even with "boot-device=nand-only" you can force network boot with reset button.

Oh. I see... it all makes sense now.

troffasky · Sun Mar 29, 2015 9:50 pm

if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!

I doubt it. Mikrotik can't be blamed for your IT not giving you the password they've set on your kit.
To cite another example, the recovery procedure for a lost password on a Mobotix IP camera is to send it back to the factory in Germany, and that particular feature can't be turned off

kgninfos · Sun Aug 02, 2015 11:21 am

i just installed the pack on a 911 board and as per log it was installed
but in routerboard>settings i am unable to find any option to enable it

an any one guide me with the exact command / process

Thanks

Mon Aug 03, 2015 9:36 am

More info here http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

kgninfos · Mon Aug 03, 2015 10:37 am

i am not getting the options after i have installed the packege
thats why i am asking here

Mon Aug 03, 2015 10:47 am

i am not getting the options after i have installed the packege
thats why i am asking here

did you check the log, after installing the package? it usually gives reason what failed. maybe your device is too old. it will say in the log. try to upload and reboot once more, then check log

package: http://www.mikrotik.com/download/share/ ... e_6_27.dpk

kgninfos · Mon Aug 03, 2015 11:04 am

As per log it was installed

kgninfos · Tue Aug 04, 2015 4:07 pm

Please reply why i am not getting the options

kgninfos · Thu Aug 06, 2015 7:39 am

Please someone reply why i am not getting the options

Thu Aug 06, 2015 1:18 pm

Please someone reply why i am not getting the options

Write to support[at]mikrotik.com asking this same question. This is a user forum, and I believe protected RouterBOOT is not a widely used option.

longerCZ · Mon Sep 07, 2015 7:55 pm

Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:

boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m

So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!

Tue Sep 08, 2015 1:04 pm

Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
Code: Select all
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!

Just like manual explains, it will erase the NAND in a secure way, and essentially Brick the device. So what you see is as it should be.

See last option, the one that says EXTREMELY DANGEROUS:

http://wiki.mikrotik.com/wiki/Manual:Ro ... D_settings

bajodel · Tue Sep 08, 2015 7:38 pm

Probably my english is really bad, but I can't understand the manual page.

.. So..

If I press reset for "reformat-hold-button" seconds the board erase (deep mode) all and I can netinstall a fresh new install.

If I press for more seconds than "reformat-hold-button", the device is unrecoverabily bricked ?

If yes, which is the tolerance windows (seconds) of reformat-hold-button ?

Wed Sep 09, 2015 10:14 am

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.

bajodel · Wed Sep 09, 2015 10:44 am

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.

Perfect, now it's clear. Thanks.

longerCZ · Mon Sep 14, 2015 2:28 pm

No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.

So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?

I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s

When i just boot the device without RESET button, it's eth ports blinks randomly. If I use previous steps, it acts normaly (all eth ports are off, only connected one is on). The thing is that it doesn't appear in the list of NetInstall. When I use another working device it show in the list normally, so PC's configuration seems to be OK.

Device is still bricked. Any help?

Mon Sep 14, 2015 2:33 pm

Did you connec the PC to the Ether1 port of the router ?

-RB941-2nD is powered on with pushed RESET button for approx 15s

keep holding the button longer, until you see the device in Netinstall

also make sure PC has no firewall or antivirus that could be blocking Netinstall. Also you can try to right-click it and "Run as administrator"

bajodel · Mon Sep 14, 2015 3:25 pm

..[CUT]..
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?

I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s

..[CUT]..
Device is still bricked. Any help?

The routerboard should be connected on ether1 (normally ..read manual for specific device).

longerCZ · Mon Sep 14, 2015 7:21 pm

Did you connec the PC to the Ether1 port of the router ?

-RB941-2nD is powered on with pushed RESET button for approx 15s
keep holding the button longer, until you see the device in Netinstall

also make sure PC has no firewall or antivirus that could be blocking Netinstall. Also you can try to right-click it and "Run as administrator"

I have tried holding RESET button for over 8 minutes and it didn't appear. The device is connected to ether1, I have also tried ether2. NetInstall is running on WinXP machine specially dedicated to these jobs. It's not connected to the Internet, doesn't have firewall enabled and no AV installed. There is only account - Administrator. All files are up to date as they are recently published on mikrotik.com.

Now I think the device is bricked if the RESET button doesn't need to be held for 1 hour or so...

freemannnn · Sun Dec 06, 2015 7:30 pm

so what happened at last? was the device bricked?

longerCZ · Sun Dec 06, 2015 9:40 pm

so what happened at last? was the device bricked?

yes, bricked, changed on warranty...

freemannnn · Sun Dec 06, 2015 9:58 pm

This was random i imagine. It shouldnt happen right?

longerCZ · Mon Dec 07, 2015 12:21 pm

This was random i imagine. It shouldnt happen right?

It shouldn't but I am pretty sure that this will happen with every board. We just need to hope that noone will have the great idea of holding the reset button for 5 minutes.

kgninfos · Sun Dec 27, 2015 1:55 pm

what do you think about this idea
for Level 3 Device (mostly used for CPE) make an option that till device is activated by connecting to internet features like bridge and NAT will not work
this will force users to activate it after reset and for activation it should query Mikrotik Account id and there you can setup some ownership think like if i purchase a device then the Sl number will be mapped under my mikrotik id and i can only unlock it
when i sell it someone there should be option to transfer ownership from the online Mikrotik panel

by doing this user will be forced to ask us to unlock the device before they switch provider (after all we are providing CPE to users at a very much discounted rate or even free some times)

Sun Dec 27, 2015 3:02 pm

Is there anyone having problems with stealing your equipment? Do you think that not informed thief will not steal your devices if it will be blocked somehow? Do you believe that informed thief will return back your blocked device? My opinion is that this feature is just another artificial source of future potential problems and generally for nothing.

kgninfos · Sun Dec 27, 2015 3:14 pm

see i am not trying to preveny cpe from being stolen
but think from a customer view he and other providers will also know that cpe can not be used with other network unless we allow it
so they will have to get a new cpe
why i am telling this is we are giving free sxt with connection and customer take connection from us and after 1 Month instead of paying us they approch other provider to give connection on cpe and not to charge any installation cost

so we are the ultimate looser

Sun Dec 27, 2015 5:13 pm

But you can take a deposit for some initial period from customer or make an agreement that you will invoice the costs under such conditions...

kgninfos · Sun Dec 27, 2015 5:26 pm

Make agreement then go to court for such small amount
even lawer will charge more than the cost of cpe

Sun Dec 27, 2015 5:32 pm

... Deposit...

Caci99 · Mon Dec 28, 2015 12:35 pm

I have wrote it before, but I will repeat it. The situation is as @kgninfos describes it. You give CPE for free to new customer (or whatever deal you are offering), than competition arrives and offers him a better deal using the CPE. Customer is unaware of what is behind, he is just looking for the better deal. It is not possible to go to court or use of whatever other legal instrument in countries like mine.
If the access to the board is blocked, the competition will not be able to give the service, even if he will try. So without the CPE he will need to change the offer or just step back. Sooner or later the situation described will not be possible anymore. Everyone will have to offer the deals with their own equipment. A lot of my customers who are small WISP themselves have asked for such a feature for long time.

Zorro · Mon Dec 28, 2015 9:06 pm

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change

Tue Dec 29, 2015 10:38 am

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change

please report a bug to mikrotik

Zorro · Tue Dec 29, 2015 10:14 pm

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change
please report a bug to mikrotik

how i can report bugs to mikrotik?

troffasky · Wed Dec 30, 2015 12:43 am

Email support.

But really, economic problem won't be fixed with technical workarounds. If you aren't charging enough to cover your costs, Mikrotik cannot fix this for you.

kgninfos · Wed Dec 30, 2015 7:08 am

i guess you have not got a competitor or very rich people are there who are paying

think why apple is giving device lock when we all know apple phones are costly and their owner can afford a new phone

Wed Dec 30, 2015 8:36 am

so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change
please report a bug to mikrotik
how i can report bugs to mikrotik?

email support@mikrotik.com

Wed Dec 30, 2015 8:39 am

This feature is not to prevent something from being stolen. It is to protect your data. The feature allows to block device from using network boot to access your data without password. By using protected routerboot, a forgotten password will mean to nullify your NAND, then Netinstall. This way, if somebody steals your device, your config and passwords are safe.

Zorro · Thu Dec 31, 2015 1:18 am

hardwired anti-thieft tech - also can be implemented in firmware, just like in notebooks, but i hope it was never happen, because its exploitable(and usually by random 3rd-parties)as hell and cause more damage than save money.

skyhawk · Mon Jan 18, 2016 2:48 pm

My test-bench RB941-2nD cannot enter protected-bootloader mode. Upon factory reset the bootloader reverts to 3.19, which I'm guessing is the backup bootloader?

Can I ask for a protected-bootloader-install package for smips? the -mipsbe one refuses to install.

RouterOS 6.33.5, /system routerboard shows current firmware is 3.29
protected-bootloader doesn't appear anywhere under /system routerboard or /system routerboard settings.

Mon Jan 18, 2016 4:05 pm

To enable protected RouterBOOT, you have to update board backup BIOS to v3.24.

This backup BIOS package can be downloaded here:
http://www.mikrotik.com/download/share/ ... mipsbe.dpk

More info here:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

Enable protected RouterBOOT under:
/system routerboard settings set

skyhawk · Tue Jan 19, 2016 3:44 am

Thanks PaulsMT, but I need an install package for smips...

jan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk 
13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips 
13:36:09 system,info router rebooted 

[admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled 
echo: system,info,critical Current RouterBOOT does not support this feature

Thu Jan 21, 2016 11:39 am

Thanks PaulsMT, but I need an install package for smips...

jan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk 
13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips 
13:36:09 system,info router rebooted 

[admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled 
echo: system,info,critical Current RouterBOOT does not support this feature

Thank you for reporting us, we have just added missing package for smips. You can download it here:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

Press link for smips platform to download file.

soueidan · Mon Feb 29, 2016 5:26 pm

Hello All,

As it is mentioned in the wiki " The backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory."

However, what is the way to upgrade the backup RouterBOOT ?

Simply draging the file into files section and rebooting is not working!

Is there a special way to do so?

Looking forward for replies.

Thanks in advance.

Tue Mar 22, 2016 2:32 pm

Hello All,

As it is mentioned in the wiki " The backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory."

However, what is the way to upgrade the backup RouterBOOT ?

Simply draging the file into files section and rebooting is not working!

Is there a special way to do so?

Looking forward for replies.

Thanks in advance.

1. Make sure your RouterOS is not very old - for Tile and Smips at least 6.33, for mipsbe 6.29.1
2. drag & drop DPK update file for your architecture:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader
3. Reboot.

You should see update information in the log output (/log print)

skyhawk · Sat Jun 11, 2016 8:28 am

05:16:31 system,info verified protected_routerboot_v3_29_enable_6_33_smips.dpk
05:16:32 system,info installed protected-router-6.33
05:16:32 system,info FAILED to enable protected RouterBOOT: wrong running booter version

model: RouterBOARD 941-2nD
serial-number: <...>
firmware-type: qca9531L
factory-firmware: 3.19
current-firmware: 3.33
upgrade-firmware: 3.33

uptime: 8m43s
version: 6.35.2 (stable)
build-time: May/02/2016 10:09:26
<....>
architecture-name: smips
board-name: hAP lite
platform: MikroTik

Any chance for an updated protected-router package for smips?

ofca · Sat Oct 01, 2016 3:22 am

I'm having the same problem as above.

Nord · Fri Oct 21, 2016 11:10 am

I'm having the same problem as above.

[admin@Aseev_SV] /system routerboard settings> set protected-routerboot=enabled
echo: system,info,critical Current RouterBOOT does not support this feature
[admin@Aseev_SV] /system routerboard settings> pri
;;; Current RouterBOOT does not support this feature
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 600MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
[admin@Aseev_SV] /system routerboard settings> ..
[admin@Aseev_SV] /system routerboard> print
;;; Current RouterBOOT does not support this feature
routerboard: yes
model: SXT 5nD r2
serial-number: 522304A494DE
firmware-type: ar9344
factory-firmware: 3.22
current-firmware: 3.33
upgrade-firmware: 3.33
[admin@Aseev_SV] /system routerboard> print
;;; Current RouterBOOT does not support this feature
routerboard: yes
model: SXT 5nD r2
serial-number: 522304A494DE
firmware-type: ar9344
factory-firmware: 3.22
current-firmware: 3.33
upgrade-firmware: 3.33

agnostic · Fri Oct 21, 2016 6:09 pm

why want a device that is impossible to reset to some standard and known settings? in case something goes bad you will have a dead router. it is prefered the router to work even in another provider. if you want to be ok to the idea that a client maybe use the device with other provider then charge them for it and then just protect your setting and passwords with this feature.

kadhim09 · Sat Nov 05, 2016 7:21 pm

older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported

so can i use bootloader in sxt ligth

rextended · Sat Jan 28, 2017 3:01 pm

WARNING: DOING IT IS AT ALL YOUR RISK!!!

I can't test all model, but if I find one problem, I report that here.

IF YOUR HARDWARE HAVE MAJOR VERSION OF RESPECTIVE FACTORY BOOT, DO NOTHING!!!
You can see Factory Firmware version from RouterOS 6.34rc45 with "/system routerboard print" command

Actually the 5 files on
http://wiki.mikrotik.com/wiki/Manual:Ro ... D_settings
are:
https://www.mikrotik.com/download/share ... mipsbe.dpk
https://www.mikrotik.com/download/share ... _smips.dpk
https://www.mikrotik.com/download/share ... _mmips.dpk
https://www.mikrotik.com/download/share ... 0_tile.dpk
https://box.mikrotik.com/f/313edb5d0e2f479b8aba/?dl=1 ( Universal 6.43.7 enable for 6.43.x RouterOS )

Those Factory RouterBOOT are ALSO a replacement for previous bugged Factory RouterBOOT!!!

DO NOT UPGRADE DISTANT HARDWARE, SOMETIME (in case of error) MANUAL REBOOT IS NEEDED!!!
I HAVE WARNED YOU...

Before the use:
Check RouterOS version, only 6.40.9 and 6.43.7 "support all hardware supported" (previous versions sometime do not rightly recognize RB also if supported) for upgrade factory bios (for now with the mikrotik's files provided)
You must chose the right file for the RouterBOARD architecture.

UNSUPPORTED:
arm all [AL2(L), DX3230(L), IPQ8060, IPQ4000(L), ...]
mipsle all [adm5120, ar2316, rc32434, ...]
powerpc all [amcc460, mpc8323, mpc8343, mpc8544, mpc8548, p1023, p2020, ...]
EDIT: 6.43.7 contains powerpc [only mpc8544, p1023, p2020] BIOS, but I not have actually tested if work
x86 all [RB230 wlb, ...]
and obviously any SwOS / SwitchOS only board.

The ONLY architecture supported are mipsbe, smips, mmips and tile!!!
EDIT: 6.43.7 contains powerpc [only mpc8544, p1023, p2020], but I not have actually tested if work

EDIT: MikroTik actually do not publish single 6.43.7 BIOS files, use RouterOS 6.43.7 for update the current bios to the right version for upgrade.

the file for tile supports:
tilegx (3.41 http://i.mt.lv/routerboard/files/tilegx_3.41.fwf )

the file for mmips supports:
mt7621L (3.41 http://i.mt.lv/routerboard/files/mt7621L_3.41.fwf )
the mmips mt7621 (without "L") if exist, is UNSUPPORTED

the file for smips supports:
qca9531L (3.41 http://i.mt.lv/routerboard/files/qca9531L_3.41.fwf )
the smimps qca9531 (without "L") if exist, is UNSUPPORTED

the file for mipsbe supports:
ar7100 (3.41 http://i.mt.lv/routerboard/files/ar7100_3.41.fwf ) some old models still unsupported, i do not have one precise list
ar9330 (3.41 http://i.mt.lv/routerboard/files/ar9330_3.41.fwf )
ar9330L (3.41 http://i.mt.lv/routerboard/files/ar9330L_3.41.fwf )
ar9340 (3.41 http://i.mt.lv/routerboard/files/ar9340_3.41.fwf )
ar9340L (3.41 http://i.mt.lv/routerboard/files/ar9340L_3.41.fwf )
ar9344 (3.41 http://i.mt.lv/routerboard/files/ar9344_3.41.fwf )
ar9344L (3.41 http://i.mt.lv/routerboard/files/ar9344L_3.41.fwf )
qca8513 (3.41 http://i.mt.lv/routerboard/files/qca8513_3.41.fwf )
qca8513L (3.41 http://i.mt.lv/routerboard/files/qca8513L_3.41.fwf )

qca8719 (without "L") if exist, is UNSUPPORTED
qca8719L (3.41 http://i.mt.lv/routerboard/files/qca8719L_3.41.fwf )
qca9531 (without "L") if exist, is UNSUPPORTED
qca9531L (3.41 http://i.mt.lv/routerboard/files/qca9531L_3.41.fwf )
qca9550 (3.41 http://i.mt.lv/routerboard/files/qca9550_3.41.fwf )
qca9550L (3.41 http://i.mt.lv/routerboard/files/qca9550L_3.41.fwf )

the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).

The single file update the Factory RouterBOOT with same version on is name and require before upgrade the same bios on filename as current firmware (active and booted):

https://www.mikrotik.com/download/share ... 0_tile.dpk
Before the update the tile must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... _smips.dpk
Before the update the smips must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... _mmips.dpk
Before the update the mmips must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... mipsbe.dpk
Before the update the mipsbe must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

*** START EDIT ***
https://box.mikrotik.com/f/313edb5d0e2f479b8aba/?dl=1 ( Universal 6.43.7 enable for 6.43.x RouterOS )
For use "Universal" factory boot update, RouterOS must be 6.43.7, current bios must be 6.43.7 from boot (not just updated).
*** END EDIT ***

After the update of Factory RouterBOOT with support for protected-routerboot, you can upgrade again the current bios to the latest version present on future version of RouterOS.

I hope all is clear now for all.

rextended · Sat Jan 28, 2017 3:08 pm

...

http://forum.mikrotik.com/viewtopic.php ... 30#p580430

rextended · Sat Jan 28, 2017 3:09 pm

...

http://forum.mikrotik.com/viewtopic.php ... 30#p580430

rextended · Sat Jan 28, 2017 3:17 pm

why want a device that is impossible to reset to some standard and known settings? in case something goes bad you will have a dead router. it is prefered the router to work even in another provider. if you want to be ok to the idea that a client maybe use the device with other provider then charge them for it and then just protect your setting and passwords with this feature.

My CPE are not sold to end user. If someone steals my CPE I not want than the thief also steals the "intellectual property", the passwords, etc.
At the end of the contracts the end user must give back the CPE.

The protected routerboot do not "protect" hardware but just the "intellectual property", the passwords, etc. inside the configuration.

If for some reason end user buy the CPE or other hardware, at the end of contract the routerboard is still fully usable, but the end user must clean all "intellectual property", the passwords, etc., after use it, because the user do not pay me for it's rent.

Mazutti · Sun Apr 16, 2017 7:42 pm

So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.

Thanks in advance.

Mazutti

rextended · Tue Apr 18, 2017 3:24 pm

So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.

Thanks in advance.

Mazutti

fixed, use 6.40.7
viewtopic.php?f=2&t=94303&p=580430#p580430

Mazutti · Wed Apr 19, 2017 10:04 pm

So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.

Thanks in advance.

Mazutti
I try the same with one 922UAGS-5HPacD with same error code 14 with 6.38.5

Downgraded to 6.37.5 for update and is working as expected

Is like the protected routerboot upgrade is stopping work on 6.38(.5)???

Makes sense, since both of my devices are on 6.38.5. Tested downgrading the mAP-2n to 6.37.5 and doing the procedure again and now protected routerboot is enabled. Will do the same on RB951G and report back.

Thanks again.

Mazutti

Fri Apr 21, 2017 12:59 pm

It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:

/system routerboard settings set protected-routerboot=enabled

Mazutti · Fri Apr 21, 2017 2:55 pm

It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
Code: Select all
/system routerboard settings set protected-routerboot=enabled

Normis,

Yes, I followed the procedure rextended described above. RB951G also has been upgraded successfully after going back to 6.37.5, downgrading the firmware to 3.24, and then applying the mipsbe .dpk file. Message from a RB2011, if I try to apply the code you mentioned, on 6.38.5 is that "Current RouterBOOT does not support this feature.", and that is one of the last RB I have that yet doesn´t support protected routerboot. If that error is not intended and you want access to or more information from the RB2011, just let me know, would be glad to help.

Thanks in advance.

Mazutti

rextended · Thu Apr 27, 2017 6:03 pm

It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
Code: Select all
/system routerboard settings set protected-routerboot=enabled
Normis,

Yes, I followed the procedure rextended described above. RB951G also has been upgraded successfully after going back to 6.37.5, downgrading the firmware to 3.24, and then applying the mipsbe .dpk file. Message from a RB2011, if I try to apply the code you mentioned, on 6.38.5 is that "Current RouterBOOT does not support this feature.", and that is one of the last RB I have that yet doesn´t support protected routerboot. If that error is not intended and you want access to or more information from the RB2011, just let me know, would be glad to help.

Thanks in advance.

Mazutti

I have updated the guide.

viewtopic.php?f=2&t=94303&p=580430#p580430

Thanks for feedback.

rextended · Thu Aug 10, 2017 2:32 pm

viewtopic.php?f=2&t=94303&p=580430#p580430

Updated for new 3.41 factory RouterBOOT

irghost · Thu Aug 10, 2017 7:19 pm

the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).

https://i.mt.lv/routerboard/files/ar7240_3.41.fwf

 /system routerboard> print 
       routerboard: yes
             model: RouterBOARD SXT LTE 3-7
     serial-number: ******************
     firmware-type: ar7240
  factory-firmware: 3.33
  current-firmware: 3.41
  upgrade-firmware: 3.41

rextended · Fri Aug 11, 2017 2:24 am

the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).

https://i.mt.lv/routerboard/files/ar7240_3.41.fwf
Code: Select all
 /system routerboard> print 
       routerboard: yes
             model: RouterBOARD SXT LTE 3-7
     serial-number: ******************
     firmware-type: ar7240
  factory-firmware: 3.33
  current-firmware: 3.41
  upgrade-firmware: 3.41

And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.

irghost · Fri Aug 11, 2017 7:25 am

And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.

you Just Said Unsupported
Which one ? Current or Factory?
When u Didn't add AR7240 Firmware file and said " Unsupported "
maybe someone thinks there is no 3.41 firmware for AR7240
I just added AR7240 Firmware For correction

rextended · Fri Aug 11, 2017 12:41 pm

And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
you Just Said Unsupported
Which one ? Current or Factory?
When u Didn't add AR7240 Firmware file and said " Unsupported "
maybe someone thinks there is no 3.41 firmware for AR7240
I just added AR7240 Firmware For correction

The file for upgrade the FACTORY firmware
https://www.mikrotik.com/download/share ... mipsbe.dpk
do NOT support ar7240.
I do not add the link for "CURRENT" firmware because this is not the point for this thread.
For Protected RouterBOOT the factory firmware MUST have the support for Protected RouterBOOT,
the CURRENT also must support Protected RouterBOOT, but is easily upgradable with standard .fwf files or with one embedded on routeros system package.

rextended · Fri Aug 11, 2017 12:51 pm

rextended · Fri Aug 11, 2017 3:08 pm

post deleted:
fixed on 6.40.7

feris · Fri Mar 09, 2018 10:05 am

Hello
I think there is a problem with upgrade on ROS 6.41.
I can upgrade current RouterBOOT firmware to 3.41 using .fwf file with no problem.
Upgrade of factory RouterBOOT using .dpk file also works fine according to log output ( verified&installed) but /system routerboard still show old version of factory.
I've seen it on RB951G-2HnD and wAP ac.
Best Regards

CoMMyz · Tue Apr 03, 2018 2:58 pm

Any update for files on 6.41?

Thanks

rextended · Tue Apr 10, 2018 3:35 am

Any update for files on 6.41?

Thanks

Downgrade RouterOS to 6.40.7 "bugfix" and follow my guide:
viewtopic.php?f=2&t=94303&p=580430#p580430

rextended · Tue Apr 10, 2018 3:36 am

Hello
I think there is a problem with upgrade on ROS 6.41.
I can upgrade current RouterBOOT firmware to 3.41 using .fwf file with no problem.
Upgrade of factory RouterBOOT using .dpk file also works fine according to log output ( verified&installed) but /system routerboard still show old version of factory.
I've seen it on RB951G-2HnD and wAP ac.
Best Regards

RoterOS 6.41+ actually is unsupported for upgrade factory firmware

Downgrade RouterOS to 6.40.7 "bugfix" and follow my guide:
viewtopic.php?f=2&t=94303&p=580430#p580430

DmitryAVET · Mon Jul 30, 2018 10:33 am

rextended, thaks a lot for files!

I maked manual for russian clients, based on your info
https://weblance.com.ua/388-funkciya-pr ... rotik.html

rextended · Sun Aug 05, 2018 1:58 pm

rextended, thaks a lot for files!

I maked manual for russian clients, based on your info
https://weblance.com.ua/388-funkciya-pr ... rotik.html

shahbazian · Thu Dec 13, 2018 1:34 am

How to upgrade factory firmware (RouterBOOT)?

I have some old RouterBOARDs with older version of RouterBOOT. I need enable Protected RouterBOOT on that, but it is impossible because the factory firmware is older than 3.24.
How to upgrade that?

Thu Dec 13, 2018 7:54 am

How to upgrade factory firmware (RouterBOOT)?

To upgrade factory firmware you need to use special package that can be found here:
https://wiki.mikrotik.com/wiki/Manual:R ... bootloader

We will soon add newer version packages on that page.

onnoossendrijver · Thu Dec 20, 2018 12:38 pm

The link to the universal package is not working: File does not exist.
Can you fix the link?

Thu Dec 20, 2018 1:20 pm

The link to the universal package is not working: File does not exist.
Can you fix the link?

Link fixed

rextended · Mon Jan 07, 2019 6:29 pm

How to upgrade factory firmware (RouterBOOT)?

I have some old RouterBOARDs with older version of RouterBOOT. I need enable Protected RouterBOOT on that, but it is impossible because the factory firmware is older than 3.24.
How to upgrade that?

Please read the instructions here:
viewtopic.php?f=2&t=94303&p=580430#p580430
updated for "Universal" use.

alex3712 · Sat Jan 12, 2019 4:16 am

Hello, there are some solutions for the mipsbe ar7240 factory-firmware upgrade to at least 3.33

CoMMyz · Sat Jan 26, 2019 1:12 pm

Can someone please from MikroTik update the wiki link for 6.43.8 Universal?
It is currently for 6.43.7 - i hate downgrading just for this.

Thank you

@normis

Keyko · Tue Feb 05, 2019 7:15 pm

Any updates? Maby make auto update routerboot firmware with ROS??

Keyko · Thu Feb 28, 2019 4:26 pm

Any updates? Maby make auto update routerboot firmware with ROS??

Keyko · Sat Apr 13, 2019 11:34 am

Can anyone answer - will there be a Universal 6.43.7 enable for 6.43.x RouterOS update for all platforms? Should I install it and is there a changelog ???

rw3aui · Fri Sep 27, 2019 6:34 pm

Good day, where i can find bin file for programmer, I brake flash.

Who is online