Will be this applied to older devices like RB750?Newer devices will have this new backup loader already installed in factory
This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT
Oh well, so nothing to do about it, right? What about routerboards on towers and masts out in the open? Are you going to pay guards who's salary exceeds the value of the devices? And it depends on the country where you live. Here where I am, half of the customers don't want contracts, if you talk about contracts they look at you as if you are talking alien. I am talking things that do happen in real life not about hypothetical situations.This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.
And I can't think of single bank which can't be stolen, coincidentally one was stolen two weeks ago in my town . This doesn't mean that measures has to be taken.Like I said, I cant think of a single device that can be completely locked down.
The password I mentioned was about the neinstall, but you don't have to follow my idea, you surely can come up with a better one. For example, a pattern pressing the button, like a port knocking. Like 20s keeping it pressed, then 5s pause, then 10s pressed and so on.How does password differ from Protected RouterBOOT setting?
Yes, you understood it wrong. Protected RouterBOOT is for protecting configuration of your device (including all the sensitive data it may contain) from access by unauthorized persons, but not to protect the device itself.I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people
You can boot anything using Netinstall, not just RouterOS installer. You can boot Linux there, login via ssh and read whatever is stored on the NAND chip. Protected RouterBOOT prevents that.First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.
Yes exactly.
Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.
Wrong. There ARE devices that are useless without a password. iPhones and iPads have a locking feature where ONLY the owner can unlock it. If someone else gets a hold of the device, other than the owner, it is impossible to use (unless the owner unlocks it first).Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.
You have to do it from the command line:where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.
Did you follow the instructions in the wiki, INCLUDING downloading and installing the required package?i already read the wiki. but i cant find it even in terminal. can u give me the command?
Correct, this package is required for it to work. Install it just like you would any upgrade package.no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?
I'd bet they could also keep it pressed for longer, just not shorter.If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?
Actually, you might be right... I was extrapolating from the fact a "normal" reset has a led flashing as an indicator, but I see no indication in the wiki that this would happen with a protected boot's reset.Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.
Other people's mileage may vary. I see Protected RouterBOOT as another important step towards corporate market, where it us mandatory, for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment.I see this function to be rather useless complication than anything I would like to install to my devices...
You don't need protected RouterBOOT for that particular scenario.for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.You don't need protected RouterBOOT for that particular scenario.for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.
What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.
Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.
No. Even with "boot-device=nand-only" you can force network boot with reset button.Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
Oh. I see... it all makes sense now.No. Even with "boot-device=nand-only" you can force network boot with reset button.Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
I doubt it. Mikrotik can't be blamed for your IT not giving you the password they've set on your kit.if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!
did you check the log, after installing the package? it usually gives reason what failed. maybe your device is too old. it will say in the log. try to upload and reboot once more, then check logi am not getting the options after i have installed the packege
thats why i am asking here
Write to support[at]mikrotik.com asking this same question. This is a user forum, and I believe protected RouterBOOT is not a widely used option.Please someone reply why i am not getting the options
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
Just like manual explains, it will erase the NAND in a secure way, and essentially Brick the device. So what you see is as it should be.Hello guys, can you please help me clarify following situation?
I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
So now:Code: Select allboot-device: nand-only cpu-frequency: 650MHz boot-protocol: bootp force-backup-booter: no silent-boot: no protected-routerboot: enabled reformat-hold-button: 5m
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network
But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...
Thanks a lot!
Perfect, now it's clear. Thanks.No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
keep holding the button longer, until you see the device in Netinstall-RB941-2nD is powered on with pushed RESET button for approx 15s
The routerboard should be connected on ether1 (normally ..read manual for specific device)...[CUT]..
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?
I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s
..[CUT]..
Device is still bricked. Any help?
I have tried holding RESET button for over 8 minutes and it didn't appear. The device is connected to ether1, I have also tried ether2. NetInstall is running on WinXP machine specially dedicated to these jobs. It's not connected to the Internet, doesn't have firewall enabled and no AV installed. There is only account - Administrator. All files are up to date as they are recently published on mikrotik.com.Did you connec the PC to the Ether1 port of the router ?
keep holding the button longer, until you see the device in Netinstall-RB941-2nD is powered on with pushed RESET button for approx 15s
also make sure PC has no firewall or antivirus that could be blocking Netinstall. Also you can try to right-click it and "Run as administrator"
yes, bricked, changed on warranty...so what happened at last? was the device bricked?
It shouldn't but I am pretty sure that this will happen with every board. We just need to hope that noone will have the great idea of holding the reset button for 5 minutes.This was random i imagine. It shouldnt happen right?
please report a bug to mikrotikso far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change
how i can report bugs to mikrotik?please report a bug to mikrotikso far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change
email support@mikrotik.comhow i can report bugs to mikrotik?please report a bug to mikrotikso far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change
jan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk
13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips
13:36:09 system,info router rebooted
[admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled
echo: system,info,critical Current RouterBOOT does not support this feature
Thanks PaulsMT, but I need an install package for smips...Code: Select alljan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk 13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips 13:36:09 system,info router rebooted [admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled echo: system,info,critical Current RouterBOOT does not support this feature
1. Make sure your RouterOS is not very old - for Tile and Smips at least 6.33, for mipsbe 6.29.1Hello All,
As it is mentioned in the wiki " The backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory."
However, what is the way to upgrade the backup RouterBOOT ?
Simply draging the file into files section and rebooting is not working!
Is there a special way to do so?
Looking forward for replies.
Thanks in advance.
older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported
My CPE are not sold to end user. If someone steals my CPE I not want than the thief also steals the "intellectual property", the passwords, etc.why want a device that is impossible to reset to some standard and known settings? in case something goes bad you will have a dead router. it is prefered the router to work even in another provider. if you want to be ok to the idea that a client maybe use the device with other provider then charge them for it and then just protect your setting and passwords with this feature.
fixed, use 6.40.7So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.
Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?
Any additional information, I would be glad to share.
Thanks in advance.
Mazutti
Makes sense, since both of my devices are on 6.38.5. Tested downgrading the mAP-2n to 6.37.5 and doing the procedure again and now protected routerboot is enabled. Will do the same on RB951G and report back.I try the same with one 922UAGS-5HPacD with same error code 14 with 6.38.5So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.
Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?
Any additional information, I would be glad to share.
Thanks in advance.
Mazutti
Downgraded to 6.37.5 for update and is working as expected
Is like the protected routerboot upgrade is stopping work on 6.38(.5)???
/system routerboard settings set protected-routerboot=enabled
Normis,It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.
But you don't need this package. You can just enable this feature from the console:
Code: Select all/system routerboard settings set protected-routerboot=enabled
Normis,It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.
But you don't need this package. You can just enable this feature from the console:
Code: Select all/system routerboard settings set protected-routerboot=enabled
Yes, I followed the procedure rextended described above. RB951G also has been upgraded successfully after going back to 6.37.5, downgrading the firmware to 3.24, and then applying the mipsbe .dpk file. Message from a RB2011, if I try to apply the code you mentioned, on 6.38.5 is that "Current RouterBOOT does not support this feature.", and that is one of the last RB I have that yet doesn´t support protected routerboot. If that error is not intended and you want access to or more information from the RB2011, just let me know, would be glad to help.
Thanks in advance.
Mazutti
https://i.mt.lv/routerboard/files/ar7240_3.41.fwf
the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).
/system routerboard> print
routerboard: yes
model: RouterBOARD SXT LTE 3-7
serial-number: ******************
firmware-type: ar7240
factory-firmware: 3.33
current-firmware: 3.41
upgrade-firmware: 3.41
And what you expect? You understand? (من نمی دانم منظور شما چیست)https://i.mt.lv/routerboard/files/ar7240_3.41.fwf
the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).
Code: Select all/system routerboard> print routerboard: yes model: RouterBOARD SXT LTE 3-7 serial-number: ****************** firmware-type: ar7240 factory-firmware: 3.33 current-firmware: 3.41 upgrade-firmware: 3.41
you Just Said Unsupported
And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
The file for upgrade the FACTORY firmwareyou Just Said Unsupported
And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
Which one ? Current or Factory?
When u Didn't add AR7240 Firmware file and said " Unsupported "
maybe someone thinks there is no 3.41 firmware for AR7240
I just added AR7240 Firmware For correction
Downgrade RouterOS to 6.40.7 "bugfix" and follow my guide:Any update for files on 6.41?
Thanks
Hello
I think there is a problem with upgrade on ROS 6.41.
I can upgrade current RouterBOOT firmware to 3.41 using .fwf file with no problem.
Upgrade of factory RouterBOOT using .dpk file also works fine according to log output ( verified&installed) but /system routerboard still show old version of factory.
I've seen it on RB951G-2HnD and wAP ac.
Best Regards
rextended, thaks a lot for files!
I maked manual for russian clients, based on your info
https://weblance.com.ua/388-funkciya-pr ... rotik.html
To upgrade factory firmware you need to use special package that can be found here:How to upgrade factory firmware (RouterBOOT)?
Link fixedThe link to the universal package is not working: File does not exist.
Can you fix the link?
Please read the instructions here:How to upgrade factory firmware (RouterBOOT)?
I have some old RouterBOARDs with older version of RouterBOOT. I need enable Protected RouterBOOT on that, but it is impossible because the factory firmware is older than 3.24.
How to upgrade that?
yep, i had read that...but next line says:They do not read the insctructins...
>>>UNSUPPORTED:
>>>powerpc all [amcc460, mpc8323, mpc8343, mpc8544, mpc8548, p1023, p2020, ...]
First 3 number of ether1 MAC please?yep, i had read that...but next line says:They do not read the insctructins...
>>>UNSUPPORTED:
>>>powerpc all [amcc460, mpc8323, mpc8343, mpc8544, mpc8548, p1023, p2020, ...]
EDIT: 6.43.7 contains powerpc [only mpc8544, p1023, p2020] BIOS, but I not have actually tested if work
well i tested..it does not work...i just wrote it if someone was more lucky than me.
thanks anyway.
First 3 number of ether1 MAC please?