Page 1 of 1

Protected RouterBOOT

Posted: Sun Feb 22, 2015 10:44 pm
by kmailz
Hi all,
I found new protected-routerboot setting in Wiki. Sounds too good to be true so I've installed update package for backup RouterBOOT. Do everything as written in Wiki.. And result? Nothing, still was able to boot into netinstall mode.
It takes me two days of fun to found that my RB is not supported.
rb_log.jpg
RB 750
ROS 6.27
RB FW: 3.22

There's coming question: will be 750 supported? :)

And please specify supported models in Wiki.

Thanks :)

Re: Protected RouterBOOT

Posted: Mon Feb 23, 2015 12:35 pm
by normis
older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported

Re: Protected RouterBOOT

Posted: Mon Feb 23, 2015 9:47 pm
by kmailz
Okay thanks.

from wiki:
Newer devices will have this new backup loader already installed in factory
Will be this applied to older devices like RB750?

Re: Protected RouterBOOT

Posted: Wed Feb 25, 2015 11:24 pm
by Caci99
This is a good feature but not as I would have expected it to act yet. It is a good first step to protect the routerboards which are installed into the open.

My main concern is about SXT Lite. What actually happens, is that a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT. Keep in mind that SXT is generally offered free of charge to the customer, so there is one lost. Time after time this is a considerable loss. I have even asked support long time ago if there was anyway to stop others from steeling routerboards installed at open by resetting or netinstall-ing them. But there was no way to protect a routerboard from netinstall.

This new method is a good step at protecting the routerboards, but still one can netinstall by holding the reset button for the given time. I just tested it on a SXT, and the SXT even flashes after the time is reached, indicating that the button can be released and it enters into netistall.

My suggestion would be, is it possible to add a password to protect the routerboard from netinstall? A password which will prompt at the netinstall window? This is a better way to protect it.
I am glad that this issue has been addressed since it is a serious one, but I think it needs to be better than as it is now at this stage.

Re: Protected RouterBOOT

Posted: Wed Feb 25, 2015 11:57 pm
by marrold
a customer asks for internet connection, and generally a SXT is installed at premises. A month later or so, a competitor goes and lures this customer to offer a better service without even needing to change anything. This competitor resets the SXT and configures it at his needs, and there goes one SXT
This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.

Re: Protected RouterBOOT

Posted: Thu Feb 26, 2015 12:13 am
by Caci99
This is a 'contract' issue, not a software / hardware problem. I can't think of many/any devices that can't be forced to factory reset in some way.
Oh well, so nothing to do about it, right? What about routerboards on towers and masts out in the open? Are you going to pay guards who's salary exceeds the value of the devices? And it depends on the country where you live. Here where I am, half of the customers don't want contracts, if you talk about contracts they look at you as if you are talking alien. I am talking things that do happen in real life not about hypothetical situations.
As I said, it is a good thing MikroTik introduced this feature, it only needs to be better.

Re: Protected RouterBOOT

Posted: Thu Feb 26, 2015 9:51 am
by marrold
Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.

In the ideal world, how would Protected RouterBOOT work for you?

Re: Protected RouterBOOT

Posted: Thu Feb 26, 2015 12:06 pm
by normis
How does password differ from Protected RouterBOOT setting?

The only difference is ability to format the device for reset, but this is for the situation where you forget the password. Otherwise you would just brick it without recovery.

There is no way to protect against reset. If somebody really wants, they could even remove the NAND.

Re: Protected RouterBOOT

Posted: Thu Feb 26, 2015 7:36 pm
by Caci99
Like I said, I cant think of a single device that can be completely locked down.
And I can't think of single bank which can't be stolen, coincidentally one was stolen two weeks ago in my town :). This doesn't mean that measures has to be taken.
How does password differ from Protected RouterBOOT setting?
The password I mentioned was about the neinstall, but you don't have to follow my idea, you surely can come up with a better one. For example, a pattern pressing the button, like a port knocking. Like 20s keeping it pressed, then 5s pause, then 10s pressed and so on.
I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people and as it stands now, unauthorized people can still access the routerboard by netinstall. All they need to do is a 5min read of the wiki and 5min test like I did.

Re: Protected RouterBOOT

Posted: Fri Mar 27, 2015 7:05 pm
by jandafields
I've been trying to figure out the actual purpose of protected-bootloader is, and I cannot yet figure it out.

First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.

Second, you can netinstall and reinstall mikrotik regardless of the protected-bootloader setting, without knowing the admin password, and without knowing the seconds setting. Simply hold the button until it flashes, and then netinstall. Easy. So, the purpose of protected-bootloader is not to stop netinstall from working.

So ... what is the purpose of protected-bootloader???

Re: Protected RouterBOOT

Posted: Fri Mar 27, 2015 7:45 pm
by andriys
I may have understood it wrong, but i think Protected RouterBOOT was introduced to protect the router from being accessed by unauthorized people
Yes, you understood it wrong. Protected RouterBOOT is for protecting configuration of your device (including all the sensitive data it may contain) from access by unauthorized persons, but not to protect the device itself.

Re: Protected RouterBOOT

Posted: Fri Mar 27, 2015 7:48 pm
by andriys
First, without the admin password, I don't know of anyway to steal someone's configuration file. Sure, you can netinstall and reset the unit, which will delete the config, but that won't get you the old configuration. So, the purpose of protected-bootloader is not to protect the config file.
You can boot anything using Netinstall, not just RouterOS installer. You can boot Linux there, login via ssh and read whatever is stored on the NAND chip. Protected RouterBOOT prevents that.

Re: Protected RouterBOOT

Posted: Fri Mar 27, 2015 8:03 pm
by jandafields
Ah, ok. Thank you.

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 9:43 am
by normis
Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 7:39 pm
by jandafields
Yes exactly.

Protecting against reset is not possible, since then you would have devices that can only be discarded / thrown away, if somebody forgets the password. Not something anybody wants really.

Actually, based on the other posts here, I think that people DO want a device that would have to be discarded if the password is lost.

I think it would be better for a device to be thrown away, rather than a competitor to end up using it. Theft deterrent.

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 7:43 pm
by jandafields
Like I said, I cant think of a single device that can be completely locked down. Most can be factory reset in some way, even if you have to solder something to the serial port on the board etc.
Wrong. There ARE devices that are useless without a password. iPhones and iPads have a locking feature where ONLY the owner can unlock it. If someone else gets a hold of the device, other than the owner, it is impossible to use (unless the owner unlocks it first).

It's called "Activation Lock" or "Find My iPad". There is currently no known way to bypass this lock. There are many stories of buying these devices on eBay when the originally did not unlock it (or it was stolen and resold), where the purchaser had no way to use it.

So, not an exact comparision, but yes there are tech devices that can be completely locked down.

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 7:59 pm
by freemannnn
where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 8:14 pm
by jandafields
where exactly is this option of protected-routerboot? i cant find it in my rb2011 and rb951 latest ros and firmware.
You have to do it from the command line:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 8:18 pm
by freemannnn
i already read the wiki. but i cant find it even in terminal. can u give me the command?

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 8:33 pm
by jandafields
i already read the wiki. but i cant find it even in terminal. can u give me the command?
Did you follow the instructions in the wiki, INCLUDING downloading and installing the required package?

http://www.mikrotik.com/download/share/ ... e_6_27.dpk

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 8:38 pm
by freemannnn
no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?

Re: Protected RouterBOOT

Posted: Sat Mar 28, 2015 9:08 pm
by jandafields
no i didnt install this package. so i have to drag and drop it in files and reboot to get it installed? and after i will find the option in settings?
Correct, this package is required for it to work. Install it just like you would any upgrade package.

Protected RouterBOOT

Posted: Sun Mar 29, 2015 12:43 am
by freemannnn
If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?

Re: Protected RouterBOOT

Posted: Sun Mar 29, 2015 12:59 am
by boen_robot
If i understand correct the reformat-hold-button (5s .. 300s; Default: 20s) is an last option to get access to device with loosing configuration. So if i set this to eg 230 sec the next guy who tries to reset it by this way its impossible to find this timing, right?
The device gets unusable if you dont leave default seconds to 20. Who will try sec by sec to find the right one?
I'd bet they could also keep it pressed for longer, just not shorter.

So the next guy, worst case scenario, will have to sit like an idiot for 5 minutes (300 seconds) pressing that button down, at least until a led starts flashing... If they're REALLY motivated to reuse your equipment, they might actually do it... or (if this becomes a common practice) create a rig that keeps the button pressed, until they manually pull it out of said rig, 5 minutes later.

Protected RouterBOOT

Posted: Sun Mar 29, 2015 1:06 am
by freemannnn
Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.

Re: Protected RouterBOOT

Posted: Sun Mar 29, 2015 1:15 am
by boen_robot
Ahhh ok i didnt see that a led will start flashing when right time -seconds reached. I thought you have to be very lucky blindly count with a watch trying to guess when you have to stop pressing button.
Actually, you might be right... I was extrapolating from the fact a "normal" reset has a led flashing as an indicator, but I see no indication in the wiki that this would happen with a protected boot's reset.

But still... I'd guess you could keep the button pressed for longer, so if the next guy keeps it pressed for 5 minutes, they're guaranteed to reset it.

Alternatively, there may be some small window around the time (e.g. 5 seconds, maybe 10). I mean, there MUST be SOME sort of window, considering that even if you KNOW the exact number of seconds needed and you have a clock with you, you're unlikely to hit that exact second, and having the button accept 5 additional seconds would let you hold down the button for one or two more seconds, rather than "just barely making it".

If there's 5 second window, it means one has to check 59 possible 5 second intervals, which would in turn cover the remaining 235 settings. Admittedly, even 59 attempts is a little too many for a manual process like this one.

Re: Protected RouterBOOT

Posted: Sun Mar 29, 2015 2:18 am
by jandafields
Yes, the light flashes when the correct number of seconds has been reached. The "seconds" is really not a security measure at all, I don't know why they make it adjustable since the light flashes anyway.

Posted: Sun Mar 29, 2015 9:14 am
by jarda
I see this function to be rather useless complication than anything I would like to install to my devices...

Re: Protected RouterBOOT

Posted: Sun Mar 29, 2015 11:34 am
by freemannnn
apples security "find my iphone" i think is one of the best for the moment. they lock the device to the owner. you format the device and it asks the last owner apple id so you can use it again. but this is right for devices that can be stolen, eg mobiles.

if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!

Re:

Posted: Sun Mar 29, 2015 3:29 pm
by andriys
I see this function to be rather useless complication than anything I would like to install to my devices...
Other people's mileage may vary. I see Protected RouterBOOT as another important step towards corporate market, where it us mandatory, for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment.

Cisco ASA, for instance, has similar feature: "no service password-recovery".

Re: Re:

Posted: Sun Mar 29, 2015 3:43 pm
by boen_robot
for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.

Re: Re:

Posted: Sun Mar 29, 2015 4:02 pm
by normis
for instance, to protect IPsec shared secrets from access by unauthorized personnel who, nevertheless, has legitimate physical access to the equipment
You don't need protected RouterBOOT for that particular scenario.

If the personnel has physical access to the device, but not the router password, they can reset the device, and upon normal reset, all settings, including said IPsec shared secrets, are lost. Only the HDD contents are preserved.

What the protected RouterBOOT protects from is if the personnel decides to ditch your IPsec shared secrets, in favor of a different network setup (say, one without IPsec at all) that they'll start setting up from scratch on their own (effectively taking the router for themselves; The bastards!)... or if the HDD contains sensitive data that wouldn't otherwise be gone, like say, a User Manager database.
no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.

Re: Re:

Posted: Sun Mar 29, 2015 4:51 pm
by boen_robot
no, they actually could boot a different OS and read your settings ... netinstall is not the only thing you can boot.
Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".

Re: Re:

Posted: Sun Mar 29, 2015 5:15 pm
by andriys
Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
No. Even with "boot-device=nand-only" you can force network boot with reset button.

Re: Protected RouterBOOT

Posted: Sun Mar 29, 2015 5:35 pm
by boen_robot
Isn't simply disabling etherboot enough to counter that? I mean, even without protected boot, you can set "nand-only" boot in "/system routerboard settings".
No. Even with "boot-device=nand-only" you can force network boot with reset button.
Oh. I see... it all makes sense now.

Re: Protected RouterBOOT

Posted: Sun Mar 29, 2015 9:50 pm
by troffasky
if this happens to routers,cpe owners of them like organization hotels etc will start a war to mikrotik for not beeing able to reset them because of a past IT that passcode them!
I doubt it. Mikrotik can't be blamed for your IT not giving you the password they've set on your kit.
To cite another example, the recovery procedure for a lost password on a Mobotix IP camera is to send it back to the factory in Germany, and that particular feature can't be turned off :-)

Re: Protected RouterBOOT

Posted: Sun Aug 02, 2015 11:21 am
by kgninfos
i just installed the pack on a 911 board and as per log it was installed
but in routerboard>settings i am unable to find any option to enable it

an any one guide me with the exact command / process

Thanks

Re: Protected RouterBOOT

Posted: Mon Aug 03, 2015 9:36 am
by normis

Re: Protected RouterBOOT

Posted: Mon Aug 03, 2015 10:37 am
by kgninfos
i am not getting the options after i have installed the packege
thats why i am asking here

Re: Protected RouterBOOT

Posted: Mon Aug 03, 2015 10:47 am
by normis
i am not getting the options after i have installed the packege
thats why i am asking here
did you check the log, after installing the package? it usually gives reason what failed. maybe your device is too old. it will say in the log. try to upload and reboot once more, then check log

package: http://www.mikrotik.com/download/share/ ... e_6_27.dpk

Re: Protected RouterBOOT

Posted: Mon Aug 03, 2015 11:04 am
by kgninfos
As per log it was installed

Re: Protected RouterBOOT

Posted: Tue Aug 04, 2015 4:07 pm
by kgninfos
Please reply why i am not getting the options

Re: Protected RouterBOOT

Posted: Thu Aug 06, 2015 7:39 am
by kgninfos
Please someone reply why i am not getting the options

Re: Protected RouterBOOT

Posted: Thu Aug 06, 2015 1:18 pm
by andriys
Please someone reply why i am not getting the options
Write to support[at]mikrotik.com asking this same question. This is a user forum, and I believe protected RouterBOOT is not a widely used option.

Re: Protected RouterBOOT

Posted: Mon Sep 07, 2015 7:55 pm
by longerCZ
Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!

Re: Protected RouterBOOT

Posted: Tue Sep 08, 2015 1:04 pm
by normis
Hello guys, can you please help me clarify following situation?

I give my clients MikroTik hAP lite routers and I want to protect them to not be able to be accidentaly reseted (our customers like to touch hidden buttons, don't know why). So I have done following settings with the discussed new feature like this:
boot-device: nand-only
cpu-frequency: 650MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
protected-routerboot: enabled
reformat-hold-button: 5m
So now:
-holding reset button reasonable time makes nothing
-it boots just from NAND so there is no chance to boot from network

But what exactly happens when someone holds reset button more then 5 minutes? It enables Netinstall or just resets config? I have tried to press it longer then "reformat-hold-button" time on one testing device and it seems to be bricked...

Thanks a lot!
Just like manual explains, it will erase the NAND in a secure way, and essentially Brick the device. So what you see is as it should be.

See last option, the one that says EXTREMELY DANGEROUS:

http://wiki.mikrotik.com/wiki/Manual:Ro ... D_settings

Re: Protected RouterBOOT

Posted: Tue Sep 08, 2015 7:38 pm
by bajodel
Probably my english is really bad, but I can't understand the manual page.

.. So..

If I press reset for "reformat-hold-button" seconds the board erase (deep mode) all and I can netinstall a fresh new install.

If I press for more seconds than "reformat-hold-button", the device is unrecoverabily bricked ?

If yes, which is the tolerance windows (seconds) of reformat-hold-button ?

Re: Protected RouterBOOT

Posted: Wed Sep 09, 2015 10:14 am
by normis
No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.

Re: Protected RouterBOOT

Posted: Wed Sep 09, 2015 10:44 am
by bajodel
No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
Perfect, now it's clear. Thanks.

Re: Protected RouterBOOT

Posted: Mon Sep 14, 2015 2:28 pm
by longerCZ
No. "Exactly" or "More" seconds will result the same - reformat NAND and Etherboot mode. Netinstall will fix the device in any case.
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?

I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s

When i just boot the device without RESET button, it's eth ports blinks randomly. If I use previous steps, it acts normaly (all eth ports are off, only connected one is on). The thing is that it doesn't appear in the list of NetInstall. When I use another working device it show in the list normally, so PC's configuration seems to be OK.

Device is still bricked. Any help?

Re: Protected RouterBOOT

Posted: Mon Sep 14, 2015 2:33 pm
by normis
Did you connec the PC to the Ether1 port of the router ?
-RB941-2nD is powered on with pushed RESET button for approx 15s
keep holding the button longer, until you see the device in Netinstall

also make sure PC has no firewall or antivirus that could be blocking Netinstall. Also you can try to right-click it and "Run as administrator"

Re: Protected RouterBOOT

Posted: Mon Sep 14, 2015 3:25 pm
by bajodel
..[CUT]..
So a procedure of NetInstall after holding RESET button for "reformat-hold-button" time is what?

I have tried to do steps as mentioned in NetInstall manual:
-I have IP on computer's NIC
-I have IP from the same subnet set in NetInstall
-RB941-2nD is connected directly to NIC
-RB941-2nD is powered on with pushed RESET button for approx 15s

..[CUT]..
Device is still bricked. Any help?
The routerboard should be connected on ether1 (normally ..read manual for specific device).

Re: Protected RouterBOOT

Posted: Mon Sep 14, 2015 7:21 pm
by longerCZ
Did you connec the PC to the Ether1 port of the router ?
-RB941-2nD is powered on with pushed RESET button for approx 15s
keep holding the button longer, until you see the device in Netinstall

also make sure PC has no firewall or antivirus that could be blocking Netinstall. Also you can try to right-click it and "Run as administrator"
I have tried holding RESET button for over 8 minutes and it didn't appear. The device is connected to ether1, I have also tried ether2. NetInstall is running on WinXP machine specially dedicated to these jobs. It's not connected to the Internet, doesn't have firewall enabled and no AV installed. There is only account - Administrator. All files are up to date as they are recently published on mikrotik.com.

Now I think the device is bricked if the RESET button doesn't need to be held for 1 hour or so...

Re: Protected RouterBOOT

Posted: Sun Dec 06, 2015 7:30 pm
by freemannnn
so what happened at last? was the device bricked?

Re: Protected RouterBOOT

Posted: Sun Dec 06, 2015 9:40 pm
by longerCZ
so what happened at last? was the device bricked?
yes, bricked, changed on warranty...

Protected RouterBOOT

Posted: Sun Dec 06, 2015 9:58 pm
by freemannnn
This was random i imagine. It shouldnt happen right?

Re: Protected RouterBOOT

Posted: Mon Dec 07, 2015 12:21 pm
by longerCZ
This was random i imagine. It shouldnt happen right?
It shouldn't but I am pretty sure that this will happen with every board. We just need to hope that noone will have the great idea of holding the reset button for 5 minutes. :-)

Re: Protected RouterBOOT

Posted: Sun Dec 27, 2015 1:55 pm
by kgninfos
what do you think about this idea
for Level 3 Device (mostly used for CPE) make an option that till device is activated by connecting to internet features like bridge and NAT will not work
this will force users to activate it after reset and for activation it should query Mikrotik Account id and there you can setup some ownership think like if i purchase a device then the Sl number will be mapped under my mikrotik id and i can only unlock it
when i sell it someone there should be option to transfer ownership from the online Mikrotik panel

by doing this user will be forced to ask us to unlock the device before they switch provider (after all we are providing CPE to users at a very much discounted rate or even free some times)

Posted: Sun Dec 27, 2015 3:02 pm
by jarda
Is there anyone having problems with stealing your equipment? Do you think that not informed thief will not steal your devices if it will be blocked somehow? Do you believe that informed thief will return back your blocked device? My opinion is that this feature is just another artificial source of future potential problems and generally for nothing.

Re: Protected RouterBOOT

Posted: Sun Dec 27, 2015 3:14 pm
by kgninfos
see i am not trying to preveny cpe from being stolen
but think from a customer view he and other providers will also know that cpe can not be used with other network unless we allow it
so they will have to get a new cpe
why i am telling this is we are giving free sxt with connection and customer take connection from us and after 1 Month instead of paying us they approch other provider to give connection on cpe and not to charge any installation cost

so we are the ultimate looser

Posted: Sun Dec 27, 2015 5:13 pm
by jarda
But you can take a deposit for some initial period from customer or make an agreement that you will invoice the costs under such conditions...

Re: Protected RouterBOOT

Posted: Sun Dec 27, 2015 5:26 pm
by kgninfos
Make agreement then go to court for such small amount
even lawer will charge more than the cost of cpe

Posted: Sun Dec 27, 2015 5:32 pm
by jarda
... Deposit...

Re: Protected RouterBOOT

Posted: Mon Dec 28, 2015 12:35 pm
by Caci99
I have wrote it before, but I will repeat it. The situation is as @kgninfos describes it. You give CPE for free to new customer (or whatever deal you are offering), than competition arrives and offers him a better deal using the CPE. Customer is unaware of what is behind, he is just looking for the better deal. It is not possible to go to court or use of whatever other legal instrument in countries like mine.
If the access to the board is blocked, the competition will not be able to give the service, even if he will try. So without the CPE he will need to change the offer or just step back. Sooner or later the situation described will not be possible anymore. Everyone will have to offer the deals with their own equipment. A lot of my customers who are small WISP themselves have asked for such a feature for long time.

Re: Protected RouterBOOT

Posted: Mon Dec 28, 2015 9:06 pm
by Zorro
so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)

Re: Protected RouterBOOT

Posted: Tue Dec 29, 2015 10:38 am
by normis
so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)
please report a bug to mikrotik

Re: Protected RouterBOOT

Posted: Tue Dec 29, 2015 10:14 pm
by Zorro
so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)
please report a bug to mikrotik
how i can report bugs to mikrotik?

Re: Protected RouterBOOT

Posted: Wed Dec 30, 2015 12:43 am
by troffasky
Email support.

But really, economic problem won't be fixed with technical workarounds. If you aren't charging enough to cover your costs, Mikrotik cannot fix this for you.

Re: Protected RouterBOOT

Posted: Wed Dec 30, 2015 7:08 am
by kgninfos
i guess you have not got a competitor or very rich people are there who are paying

think why apple is giving device lock when we all know apple phones are costly and their owner can afford a new phone

Re: Protected RouterBOOT

Posted: Wed Dec 30, 2015 8:36 am
by normis
so far biggest problem with it is "unable to turn it off".
for example checkbox is simply IGNORED in "Routerboard" part of System menu in both RB2011 and HEX, HAP.
you can set it, press "apply" but it remain unchecked and nothing actually change :)
please report a bug to mikrotik
how i can report bugs to mikrotik?
email support@mikrotik.com

Re: Protected RouterBOOT

Posted: Wed Dec 30, 2015 8:39 am
by normis
This feature is not to prevent something from being stolen. It is to protect your data. The feature allows to block device from using network boot to access your data without password. By using protected routerboot, a forgotten password will mean to nullify your NAND, then Netinstall. This way, if somebody steals your device, your config and passwords are safe.

Re: Protected RouterBOOT

Posted: Thu Dec 31, 2015 1:18 am
by Zorro
hardwired anti-thieft tech - also can be implemented in firmware, just like in notebooks, but i hope it was never happen, because its exploitable(and usually by random 3rd-parties)as hell and cause more damage than save money.

Re: Protected RouterBOOT

Posted: Mon Jan 18, 2016 2:48 pm
by skyhawk
My test-bench RB941-2nD cannot enter protected-bootloader mode. Upon factory reset the bootloader reverts to 3.19, which I'm guessing is the backup bootloader?

Can I ask for a protected-bootloader-install package for smips? the -mipsbe one refuses to install.

RouterOS 6.33.5, /system routerboard shows current firmware is 3.29
protected-bootloader doesn't appear anywhere under /system routerboard or /system routerboard settings.

Re: Protected RouterBOOT

Posted: Mon Jan 18, 2016 4:05 pm
by PaulsMT
To enable protected RouterBOOT, you have to update board backup BIOS to v3.24.

This backup BIOS package can be downloaded here:
http://www.mikrotik.com/download/share/ ... mipsbe.dpk

More info here:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

Enable protected RouterBOOT under:
/system routerboard settings set

Re: Protected RouterBOOT

Posted: Tue Jan 19, 2016 3:44 am
by skyhawk
Thanks PaulsMT, but I need an install package for smips...
jan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk 
13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips 
13:36:09 system,info router rebooted 

[admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled 
echo: system,info,critical Current RouterBOOT does not support this feature

Re: Protected RouterBOOT

Posted: Thu Jan 21, 2016 11:39 am
by PaulsMT
Thanks PaulsMT, but I need an install package for smips...
jan/01 00:00:04 system,info verified protected_routerboot_v3_24_enable_6_29_1_mipsbe.dpk 
13:36:09 system,error can not install protected-router-6.29: it is not made for smips, but for mips 
13:36:09 system,info router rebooted 

[admin@RB941-2nD-560C045163E9] > /system routerboard settings set protected-routerboot=enabled 
echo: system,info,critical Current RouterBOOT does not support this feature

Thank you for reporting us, we have just added missing package for smips. You can download it here:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader

Press link for smips platform to download file.

Re: Protected RouterBOOT

Posted: Mon Feb 29, 2016 5:26 pm
by soueidan
Hello All,

As it is mentioned in the wiki " The backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory."

However, what is the way to upgrade the backup RouterBOOT ?

Simply draging the file into files section and rebooting is not working!

Is there a special way to do so?

Looking forward for replies.

Thanks in advance.

Re: Protected RouterBOOT

Posted: Tue Mar 22, 2016 2:32 pm
by PaulsMT
Hello All,

As it is mentioned in the wiki " The backup RouterBOOT version can not be older than v3.22 version. A special package is provided to upgrade the backup RouterBOOT (DANGEROUS). Newer devices will have this new backup loader already installed at the factory."

However, what is the way to upgrade the backup RouterBOOT ?

Simply draging the file into files section and rebooting is not working!

Is there a special way to do so?

Looking forward for replies.

Thanks in advance.
1. Make sure your RouterOS is not very old - for Tile and Smips at least 6.33, for mipsbe 6.29.1
2. drag & drop DPK update file for your architecture:
http://wiki.mikrotik.com/wiki/Manual:Ro ... bootloader
3. Reboot.

You should see update information in the log output (/log print)

Re: Protected RouterBOOT

Posted: Sat Jun 11, 2016 8:28 am
by skyhawk
05:16:31 system,info verified protected_routerboot_v3_29_enable_6_33_smips.dpk 
05:16:32 system,info installed protected-router-6.33 
05:16:32 system,info FAILED to enable protected RouterBOOT: wrong running booter version 

             model: RouterBOARD 941-2nD
     serial-number: <...>
     firmware-type: qca9531L
  factory-firmware: 3.19
  current-firmware: 3.33
  upgrade-firmware: 3.33

                   uptime: 8m43s
                  version: 6.35.2 (stable)
               build-time: May/02/2016 10:09:26
<....>
        architecture-name: smips
               board-name: hAP lite
                 platform: MikroTik

Any chance for an updated protected-router package for smips?

Re: Protected RouterBOOT

Posted: Sat Oct 01, 2016 3:22 am
by ofca
I'm having the same problem as above.

Re: Protected RouterBOOT

Posted: Fri Oct 21, 2016 11:10 am
by Nord
I'm having the same problem as above.

[admin@Aseev_SV] /system routerboard settings> set protected-routerboot=enabled
echo: system,info,critical Current RouterBOOT does not support this feature
[admin@Aseev_SV] /system routerboard settings> pri
;;; Current RouterBOOT does not support this feature
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 600MHz
boot-protocol: bootp
force-backup-booter: no
silent-boot: no
[admin@Aseev_SV] /system routerboard settings> ..
[admin@Aseev_SV] /system routerboard> print
;;; Current RouterBOOT does not support this feature
routerboard: yes
model: SXT 5nD r2
serial-number: 522304A494DE
firmware-type: ar9344
factory-firmware: 3.22
current-firmware: 3.33
upgrade-firmware: 3.33
[admin@Aseev_SV] /system routerboard> print
;;; Current RouterBOOT does not support this feature
routerboard: yes
model: SXT 5nD r2
serial-number: 522304A494DE
firmware-type: ar9344
factory-firmware: 3.22
current-firmware: 3.33
upgrade-firmware: 3.33

Re: Protected RouterBOOT

Posted: Fri Oct 21, 2016 6:09 pm
by agnostic
why want a device that is impossible to reset to some standard and known settings? in case something goes bad you will have a dead router. it is prefered the router to work even in another provider. if you want to be ok to the idea that a client maybe use the device with other provider then charge them for it and then just protect your setting and passwords with this feature.

Re: Protected RouterBOOT

Posted: Sat Nov 05, 2016 7:21 pm
by kadhim09
older devices have no ability to upgrade backup bootloader. only RB9xx and newer are supported

so can i use bootloader in sxt ligth

Re: Protected RouterBOOT

Posted: Sat Jan 28, 2017 3:01 pm
by rextended
WARNING: DOING IT IS AT ALL YOUR RISK!!!

I can't test all model, but if I find one problem, I report that here.

IF YOUR HARDWARE HAVE MAJOR VERSION OF RESPECTIVE FACTORY BOOT, DO NOTHING!!!
You can see Factory Firmware version from RouterOS 6.34rc45 with "/system routerboard print" command

Actually the 5 files on
http://wiki.mikrotik.com/wiki/Manual:Ro ... D_settings
are:
https://www.mikrotik.com/download/share ... mipsbe.dpk
https://www.mikrotik.com/download/share ... _smips.dpk
https://www.mikrotik.com/download/share ... _mmips.dpk
https://www.mikrotik.com/download/share ... 0_tile.dpk
https://box.mikrotik.com/f/313edb5d0e2f479b8aba/?dl=1 ( Universal 6.43.7 enable for 6.43.x RouterOS )

Those Factory RouterBOOT are ALSO a replacement for previous bugged Factory RouterBOOT!!!

DO NOT UPGRADE DISTANT HARDWARE, SOMETIME (in case of error) MANUAL REBOOT IS NEEDED!!!
I HAVE WARNED YOU...


Before the use:
Check RouterOS version, only 6.40.9 and 6.43.7 "support all hardware supported" (previous versions sometime do not rightly recognize RB also if supported) for upgrade factory bios (for now with the mikrotik's files provided)
You must chose the right file for the RouterBOARD architecture.

UNSUPPORTED:
arm all [AL2(L), DX3230(L), IPQ8060, IPQ4000(L), ...]
mipsle all [adm5120, ar2316, rc32434, ...]
powerpc all [amcc460, mpc8323, mpc8343, mpc8544, mpc8548, p1023, p2020, ...]
EDIT: 6.43.7 contains powerpc [only mpc8544, p1023, p2020] BIOS, but I not have actually tested if work
x86 all [RB230 wlb, ...]
and obviously any SwOS / SwitchOS only board.

The ONLY architecture supported are mipsbe, smips, mmips and tile!!!
EDIT: 6.43.7 contains powerpc [only mpc8544, p1023, p2020], but I not have actually tested if work

EDIT: MikroTik actually do not publish single 6.43.7 BIOS files, use RouterOS 6.43.7 for update the current bios to the right version for upgrade.

the file for tile supports:
tilegx (3.41 http://i.mt.lv/routerboard/files/tilegx_3.41.fwf )

the file for mmips supports:
mt7621L (3.41 http://i.mt.lv/routerboard/files/mt7621L_3.41.fwf )
the mmips mt7621 (without "L") if exist, is UNSUPPORTED

the file for smips supports:
qca9531L (3.41 http://i.mt.lv/routerboard/files/qca9531L_3.41.fwf )
the smimps qca9531 (without "L") if exist, is UNSUPPORTED

the file for mipsbe supports:
ar7100 (3.41 http://i.mt.lv/routerboard/files/ar7100_3.41.fwf ) some old models still unsupported, i do not have one precise list
ar9330 (3.41 http://i.mt.lv/routerboard/files/ar9330_3.41.fwf )
ar9330L (3.41 http://i.mt.lv/routerboard/files/ar9330L_3.41.fwf )
ar9340 (3.41 http://i.mt.lv/routerboard/files/ar9340_3.41.fwf )
ar9340L (3.41 http://i.mt.lv/routerboard/files/ar9340L_3.41.fwf )
ar9344 (3.41 http://i.mt.lv/routerboard/files/ar9344_3.41.fwf )
ar9344L (3.41 http://i.mt.lv/routerboard/files/ar9344L_3.41.fwf )
qca8513 (3.41 http://i.mt.lv/routerboard/files/qca8513_3.41.fwf )
qca8513L (3.41 http://i.mt.lv/routerboard/files/qca8513L_3.41.fwf )

qca8719 (without "L") if exist, is UNSUPPORTED
qca8719L (3.41 http://i.mt.lv/routerboard/files/qca8719L_3.41.fwf )
qca9531 (without "L") if exist, is UNSUPPORTED
qca9531L (3.41 http://i.mt.lv/routerboard/files/qca9531L_3.41.fwf )
qca9550 (3.41 http://i.mt.lv/routerboard/files/qca9550_3.41.fwf )
qca9550L (3.41 http://i.mt.lv/routerboard/files/qca9550L_3.41.fwf )

the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).

The single file update the Factory RouterBOOT with same version on is name and require before upgrade the same bios on filename as current firmware (active and booted):

https://www.mikrotik.com/download/share ... 0_tile.dpk
Before the update the tile must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... _smips.dpk
Before the update the smips must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... _mmips.dpk
Before the update the mmips must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

https://www.mikrotik.com/download/share ... mipsbe.dpk
Before the update the mipsbe must have RouterOS 6.40.7 and EXACTLY 3.41 as current booted firmware
If you have 3.42+ as CURRENT firmware you must downgrade the CURRENT firmware and reboot before upgrade Factory firmware

*** START EDIT ***
https://box.mikrotik.com/f/313edb5d0e2f479b8aba/?dl=1 ( Universal 6.43.7 enable for 6.43.x RouterOS )
For use "Universal" factory boot update, RouterOS must be 6.43.7, current bios must be 6.43.7 from boot (not just updated).
*** END EDIT ***

After the update of Factory RouterBOOT with support for protected-routerboot, you can upgrade again the current bios to the latest version present on future version of RouterOS.

I hope all is clear now for all.

Re: Protected RouterBOOT

Posted: Sat Jan 28, 2017 3:08 pm
by rextended

Re: Protected RouterBOOT

Posted: Sat Jan 28, 2017 3:09 pm
by rextended

Re: Protected RouterBOOT

Posted: Sat Jan 28, 2017 3:17 pm
by rextended
why want a device that is impossible to reset to some standard and known settings? in case something goes bad you will have a dead router. it is prefered the router to work even in another provider. if you want to be ok to the idea that a client maybe use the device with other provider then charge them for it and then just protect your setting and passwords with this feature.
My CPE are not sold to end user. If someone steals my CPE I not want than the thief also steals the "intellectual property", the passwords, etc.
At the end of the contracts the end user must give back the CPE.

The protected routerboot do not "protect" hardware but just the "intellectual property", the passwords, etc. inside the configuration.

If for some reason end user buy the CPE or other hardware, at the end of contract the routerboard is still fully usable, but the end user must clean all "intellectual property", the passwords, etc., after use it, because the user do not pay me for it's rent.

Re: Protected RouterBOOT

Posted: Sun Apr 16, 2017 7:42 pm
by Mazutti
So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.


Thanks in advance.

Mazutti

Re: Protected RouterBOOT

Posted: Tue Apr 18, 2017 3:24 pm
by rextended
So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.


Thanks in advance.

Mazutti
fixed, use 6.40.7
viewtopic.php?f=2&t=94303&p=580430#p580430

Re: Protected RouterBOOT

Posted: Wed Apr 19, 2017 10:04 pm
by Mazutti
So, tried the step-by-step on two mipsbe RBs (mAP-2n and RB951G), and on both I get the error "FAILED to enable protected RouterBOOT: code 14". Tried to search for this error, but couldn´t get any results.

Can anyone confirm if this error means these RBs are not supported (too old) or if that´s something I´m doing wrong?

Any additional information, I would be glad to share.


Thanks in advance.

Mazutti
I try the same with one 922UAGS-5HPacD with same error code 14 with 6.38.5

Downgraded to 6.37.5 for update and is working as expected

Is like the protected routerboot upgrade is stopping work on 6.38(.5)???
Makes sense, since both of my devices are on 6.38.5. Tested downgrading the mAP-2n to 6.37.5 and doing the procedure again and now protected routerboot is enabled. Will do the same on RB951G and report back.

Thanks again.


Mazutti

Re: Protected RouterBOOT

Posted: Fri Apr 21, 2017 12:59 pm
by normis
It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
/system routerboard settings set protected-routerboot=enabled

Re: Protected RouterBOOT

Posted: Fri Apr 21, 2017 2:55 pm
by Mazutti
It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
/system routerboard settings set protected-routerboot=enabled
Normis,

Yes, I followed the procedure rextended described above. RB951G also has been upgraded successfully after going back to 6.37.5, downgrading the firmware to 3.24, and then applying the mipsbe .dpk file. Message from a RB2011, if I try to apply the code you mentioned, on 6.38.5 is that "Current RouterBOOT does not support this feature.", and that is one of the last RB I have that yet doesn´t support protected routerboot. If that error is not intended and you want access to or more information from the RB2011, just let me know, would be glad to help.

Thanks in advance.


Mazutti

Re: Protected RouterBOOT

Posted: Thu Apr 27, 2017 6:03 pm
by rextended
It seems to me that you are following the procedure that only applies to very old devices, that need a special package. This package is no longer compatible with new RouterOS. We will soon make new packages.

But you don't need this package. You can just enable this feature from the console:
/system routerboard settings set protected-routerboot=enabled
Normis,

Yes, I followed the procedure rextended described above. RB951G also has been upgraded successfully after going back to 6.37.5, downgrading the firmware to 3.24, and then applying the mipsbe .dpk file. Message from a RB2011, if I try to apply the code you mentioned, on 6.38.5 is that "Current RouterBOOT does not support this feature.", and that is one of the last RB I have that yet doesn´t support protected routerboot. If that error is not intended and you want access to or more information from the RB2011, just let me know, would be glad to help.

Thanks in advance.


Mazutti

I have updated the guide.

viewtopic.php?f=2&t=94303&p=580430#p580430

Thanks for feedback.

Re: Protected RouterBOOT

Posted: Thu Aug 10, 2017 2:32 pm
by rextended
viewtopic.php?f=2&t=94303&p=580430#p580430

Updated for new 3.41 factory RouterBOOT

Re: Protected RouterBOOT

Posted: Thu Aug 10, 2017 7:19 pm
by irghost

the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).
https://i.mt.lv/routerboard/files/ar7240_3.41.fwf
 /system routerboard> print 
       routerboard: yes
             model: RouterBOARD SXT LTE 3-7
     serial-number: ******************
     firmware-type: ar7240
  factory-firmware: 3.33
  current-firmware: 3.41
  upgrade-firmware: 3.41
Image

Re: Protected RouterBOOT

Posted: Fri Aug 11, 2017 2:24 am
by rextended

the mipsbe ar7240 are UNSUPPORTED!!! (but protected routerboot work if factory firmware and current boot firmware >= 3.24).
https://i.mt.lv/routerboard/files/ar7240_3.41.fwf
 /system routerboard> print 
       routerboard: yes
             model: RouterBOARD SXT LTE 3-7
     serial-number: ******************
     firmware-type: ar7240
  factory-firmware: 3.33
  current-firmware: 3.41
  upgrade-firmware: 3.41
Image
And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.

Re: Protected RouterBOOT

Posted: Fri Aug 11, 2017 7:25 am
by irghost

And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
you Just Said Unsupported
Which one ? Current or Factory?
When u Didn't add AR7240 Firmware file and said " Unsupported "
maybe someone thinks there is no 3.41 firmware for AR7240
I just added AR7240 Firmware For correction

Re: Protected RouterBOOT

Posted: Fri Aug 11, 2017 12:41 pm
by rextended

And what you expect? You understand? (من نمی دانم منظور شما چیست)
This thread is for upgrade FACTORY firmware with one with Protected RouterBOOT support, not the "current"...
as already writed: the mipsbe ar7240 are UNSUPPORTED!!!
you can only upgrade "current" BIOS whit the file in your link, but is unuseful for upgrade factory routerboot.
you Just Said Unsupported
Which one ? Current or Factory?
When u Didn't add AR7240 Firmware file and said " Unsupported "
maybe someone thinks there is no 3.41 firmware for AR7240
I just added AR7240 Firmware For correction
The file for upgrade the FACTORY firmware
https://www.mikrotik.com/download/share ... mipsbe.dpk
do NOT support ar7240.
I do not add the link for "CURRENT" firmware because this is not the point for this thread.
For Protected RouterBOOT the factory firmware MUST have the support for Protected RouterBOOT,
the CURRENT also must support Protected RouterBOOT, but is easily upgradable with standard .fwf files or with one embedded on routeros system package.

Re: Protected RouterBOOT

Posted: Fri Aug 11, 2017 12:51 pm
by rextended
Those files are only for upgrade CURRENT firmware.
Those file do not have the ability to modify the FACTORY firmware.

mipsbe (NEW, not present on actual RouterOS 6.40.x)
http://i.mt.lv/routerboard/files/ar7240_3.41.fwf

arm (all NEW, not presents on actual RouterOS 6.40.x)
http://i.mt.lv/routerboard/files/al2_3.42.fwf
http://i.mt.lv/routerboard/files/dx3230L_3.41.fwf
http://i.mt.lv/routerboard/files/ipq8060_3.41.fwf
http://i.mt.lv/routerboard/files/ipq4000L_3.41.fwf

smips (undocumented, not released on RouterOS)
http://i.mt.lv/routerboard/files/qca9531_3.36.3.fwf
warning: qca9531 and qca9531L do not are the same model!!!

powerpc (all this files are latest firmware already present on RouterOS 6.x)
http://i.mt.lv/routerboard/files/mpc8323_2.18.fwf
http://i.mt.lv/routerboard/files/mpc8343_2.27.fwf
http://i.mt.lv/routerboard/files/mpc8548_2.30.fwf
http://i.mt.lv/routerboard/files/amcc460_3.10.fwf
http://i.mt.lv/routerboard/files/mpc8544_3.24.fwf
http://i.mt.lv/routerboard/files/p1023_3.24.fwf
http://i.mt.lv/routerboard/files/p2020_3.24.fwf

x86 RB230 (this file is latest firmware already present on RouterOS)
wlb-bios_1.3.8.fwf (i do not have valid direct link, but is embedded on all 5.x and 6.x RouterOS x86)

Re: Protected RouterBOOT

Posted: Fri Aug 11, 2017 3:08 pm
by rextended
post deleted:
fixed on 6.40.7

Re: Protected RouterBOOT

Posted: Fri Mar 09, 2018 10:05 am
by feris
Hello
I think there is a problem with upgrade on ROS 6.41.
I can upgrade current RouterBOOT firmware to 3.41 using .fwf file with no problem.
Upgrade of factory RouterBOOT using .dpk file also works fine according to log output ( verified&installed) but /system routerboard still show old version of factory.
I've seen it on RB951G-2HnD and wAP ac.
Best Regards

Re: Protected RouterBOOT

Posted: Tue Apr 03, 2018 2:58 pm
by CoMMyz
Any update for files on 6.41?

Thanks

Re: Protected RouterBOOT

Posted: Tue Apr 10, 2018 3:35 am
by rextended
Any update for files on 6.41?

Thanks
Downgrade RouterOS to 6.40.7 "bugfix" and follow my guide:
viewtopic.php?f=2&t=94303&p=580430#p580430

Re: Protected RouterBOOT

Posted: Tue Apr 10, 2018 3:36 am
by rextended
Hello
I think there is a problem with upgrade on ROS 6.41.
I can upgrade current RouterBOOT firmware to 3.41 using .fwf file with no problem.
Upgrade of factory RouterBOOT using .dpk file also works fine according to log output ( verified&installed) but /system routerboard still show old version of factory.
I've seen it on RB951G-2HnD and wAP ac.
Best Regards

RoterOS 6.41+ actually is unsupported for upgrade factory firmware

Downgrade RouterOS to 6.40.7 "bugfix" and follow my guide:
viewtopic.php?f=2&t=94303&p=580430#p580430

Re: Protected RouterBOOT

Posted: Mon Jul 30, 2018 10:33 am
by DmitryAVET
rextended, thaks a lot for files!

I maked manual for russian clients, based on your info
https://weblance.com.ua/388-funkciya-pr ... rotik.html

Re: Protected RouterBOOT

Posted: Sun Aug 05, 2018 1:58 pm
by rextended
rextended, thaks a lot for files!

I maked manual for russian clients, based on your info
https://weblance.com.ua/388-funkciya-pr ... rotik.html
:o

Re: Protected RouterBOOT

Posted: Thu Dec 13, 2018 1:34 am
by shahbazian
How to upgrade factory firmware (RouterBOOT)?

I have some old RouterBOARDs with older version of RouterBOOT. I need enable Protected RouterBOOT on that, but it is impossible because the factory firmware is older than 3.24.
How to upgrade that?

Re: Protected RouterBOOT

Posted: Thu Dec 13, 2018 7:54 am
by Guntis
How to upgrade factory firmware (RouterBOOT)?
To upgrade factory firmware you need to use special package that can be found here:
https://wiki.mikrotik.com/wiki/Manual:R ... bootloader

We will soon add newer version packages on that page.

Re: Protected RouterBOOT

Posted: Thu Dec 20, 2018 12:38 pm
by onnoossendrijver
The link to the universal package is not working: File does not exist.
Can you fix the link?

Re: Protected RouterBOOT

Posted: Thu Dec 20, 2018 1:20 pm
by normis
The link to the universal package is not working: File does not exist.
Can you fix the link?
Link fixed

Re: Protected RouterBOOT

Posted: Mon Jan 07, 2019 6:29 pm
by rextended
How to upgrade factory firmware (RouterBOOT)?

I have some old RouterBOARDs with older version of RouterBOOT. I need enable Protected RouterBOOT on that, but it is impossible because the factory firmware is older than 3.24.
How to upgrade that?
Please read the instructions here:
viewtopic.php?f=2&t=94303&p=580430#p580430
updated for "Universal" use.

Re: Protected RouterBOOT

Posted: Sat Jan 12, 2019 4:16 am
by alex3712
Hello, there are some solutions for the mipsbe ar7240 factory-firmware upgrade to at least 3.33

Re: Protected RouterBOOT

Posted: Sat Jan 26, 2019 1:12 pm
by CoMMyz
Can someone please from MikroTik update the wiki link for 6.43.8 Universal?
It is currently for 6.43.7 - i hate downgrading just for this.

Thank you

@normis

Re: Protected RouterBOOT

Posted: Tue Feb 05, 2019 7:15 pm
by Keyko
Any updates? Maby make auto update routerboot firmware with ROS??

Re: Protected RouterBOOT

Posted: Thu Feb 28, 2019 4:26 pm
by Keyko
Any updates? Maby make auto update routerboot firmware with ROS??

Re: Protected RouterBOOT

Posted: Sat Apr 13, 2019 11:34 am
by Keyko
Can anyone answer - will there be a Universal 6.43.7 enable for 6.43.x RouterOS update for all platforms? Should I install it and is there a changelog ???

Re: Protected RouterBOOT

Posted: Fri Sep 27, 2019 6:34 pm
by rw3aui
Good day, where i can find bin file for programmer, I brake flash.