Hello, recently, my RB952Ui-5ac2nD-TC got hacked, and I noticed the admin user has downgraded to read-only mode. I can't do anything because the bootloader protection is enabled. I assume netinstall won't work because the method uses reset power, I tried it, but my Mikrotik didn't show up. Any suggestions? I kind of frustrated; any help means to me, thank you!

On image you have a hint for protected routerboot time!!!
What fortune...
Try netisntal after waiting for protected routerboot after blinking 1-sec-on 1-sec-off for exactly 5 minutes....

Probably MikroTik fix this on following releases, hiding the protected routerboot to non-policy users...

I was not aware of this "feature". After @rextended's note, I went looking and found this Protected bootloader documentation.

"Protected bootloader
This is a new feature which allows the protection of RouterOS configuration and files from a physical attacker by disabling etherboot. It is called "Protected RouterBOOT". This feature can be enabled and disabled only from within RouterOS after login, i.e., there is no RouterBOOT setting to enable/disable this feature. These extra options appear only under certain conditions. When this setting is enabled - both the reset button and the reset pin-hole is disabled. RouterBOOT menu is also disabled. The only ability to change boot mode or enable RouterBOOT settings menu, is through RouterOS. If you do not know the RouterOS password - only a complete format is possible."

And later it says:
protected-routerboot (enabled | disabled; Default: disabled) This setting disables any access to the RouterBOOT configuration settings over a console cable and disables operation of the reset button to change the boot mode (Netinstall will be disabled). Access to RouterOS will only be possible with a known RouterOS admin password. Unsetting of this option is only possible from RouterOS. If you forget the RouterOS password, the only option is to perform a complete reformat of both NAND and RAM with the following method, but you have to know the reset button hold time in seconds.
enabled - secure mode, only RouterOS can be accessed with a RouterOS admin password. Any user input from serial port is ignored. Etherboot is not available, RouterBOOT setting change is not possible.
disabled - regular operation, RouterBOOT settings available with serial console and reset button can be used to launch Netinstall

And then they added a "reformat-hold-button-max (5s .. 600s; Default: 10m) Increase the security even further by setting the max hold time, this means that you must release the reset button within a specified time interval. If you set t he "reformat-hold-button" to 60s and "reformat-hold-button-max" to 65s, it will mean that you must hold the button 60 to 65 seconds, not less and not more, making guesses impossible. Introduced in RouterBOOT 3.38.3

What if a disgruntled netadmin reset the prived passwords, and enable this? and what if reformat-hold-button-max was set to a value less than reformat-hold-button ? (perhaps not possible, I am not going to try). How could you recover?

I think this is a dangerous option. It shouldn't be possible to enable an option like this without physical access to the router. It enables remote bricking or turning a router into bot mode with no easy way to revert. I remember the BIOS passwords on PC mother boards that require a jumper to "reset" but it seems this doesn't even allow that option.

In the documentation there is a mention of enable-jumper-reset

and they show this "example"

[admin@demo.mt.lv] /system routerboard settings> print
baud-rate: 115200
boot-delay: 2s
enter-setup-on: any-key
boot-device: nand-if-fail-then-ethernet
cpu-frequency: 1200MHz
memory-frequency: 1066DDR
boot-protocol: bootp
enable-jumper-reset: yes
force-backup-booter: no
silent-boot: no

In this thread How to reser RB4011 with Enable jumper reset off? this response has a link to Buttons and jumpers, with the implication that you can always reset. But I am not willing to try with my router.

My RB760iGS with 7.4
Is there an alternate bootloader version available without this "feature"?

You had an old version, this is why the hacker could enable it. In new versions, you must press a button on the device to enable it. This is one more reason to always keep your device upgraded.

Now, did you try to restore access with the hold-time ?

In new versions, you must press a button on the device to enable it.

This is good news. Where is it documented?

You had an old version, this is why the hacker could enable it. In new versions, you must press a button on the device to enable it. This is one more reason to always keep your device upgraded.

Unfortunately, upgrading to the latest version isn't always the best thing to do. That was't true if you had a bootloader version before v3.24 when this poorly thought out option was added. The developers need to think more like hackers when adding features like this.

MicroSoft has the same problem adding features like autorun on CD and USB devices. What could possibly go wrong? What were they thinking, "User's will love this, as it can make installing software easy, then the users won't have to do anything but load the CD, and everything else will be automatically done for them."

My point is, there may be ISPs that don't want home users resetting the device, I can understand that, but it shouldn't be an option that can be set without physical access to the device when it is set, and I would argue that its a poor feature to have without a way to override it, even it it does require removing the cover and accessing the mother board. Hopefully there is a "zero ohm" resistor that can be either added or removed to recover without needing to unsolder the NAND or Flash chip.

there may be ISPs that don't want home users resetting the device

The motivation is different, there are parts of the world where ISPs steal each other's Mikrotik devices. Setting this kind of protection makes it impossible to repurpose them.

Is why I do not sell CPE to my clients, but remain my property, for free rent, obviously.
So the end user is obliged to give it back to us if he cancels the subscription.
And the new operator cannot use that antenna, because using it without our knowledge is theft, with all that goes with it.
If the end user is unable to return the antenna when he changes operator, he pays €500,00 in penalties.
Therefore the user is the first who is interested in having the CPE returned to us in the event of cancellation...

Is why I do not sell CPE to my clients, but remain my property, for free rent, obviously.
So the end user is obliged to give it back to us if he cancels the subscription.

I am not sure if you are advocating for this "locking feature" or not.

There may be use cases for it, but it is a feature that can easily be turned against you.

It seems there should be a way to protect but with the ability to "retake" ownership using public key crypto and perhaps something like Steve Gibson's "SQRL Rescue code". See https://www.grc.com/sqrl/operation.htm. I.e. locking it should require physical access, and should provide for some way to unlock (based on crypto and some unique hardware identifier). The primary thing is you want to make recovery much harder for an unauthorized user than an authorized user, so hard that it isn't a useful operation for someone that steals the device.

Do ISPs have the ability to "register" their serial numbers with MikroTik so they won't issue new keys without your authorization?

If someone steal the device, the S/N and the license is still binded to the distributor / reseller
(not the ISP, but who sell the device to the ISP, or better, who buy directly the devices from mikrotik)

ISP can add every device on own database, but take a long time, the site do not accept lists, but only one by one, is a endless thing for a ISP.....
But if someone try to upgrade a license or bind on own account, automatically MikroTik know who stole the device...

The only way such feature can be turned against you, is if you leave your device open to the world and it gets hacked. With firewall in place, there is no way to get hacked like this, unless the attacker is in your LAN and guessed your credentials.

And, like I already mentioned, the feature requires button press, to be activated.

ROS v6.49.1
*) routerboot - enabling "protected-routerboot" feature requires a press of a button;

Thanks for the confirmation @normis.

I found some previous threads, and posted my update here post #27 in @anav's New Protected Router Boot Mode thread.

The documentation for the reformat-hold-button-max has an inaccurate example that should be fixed, it shows setting to 60s and 65s, but you can't have a delta time less than 10s (which is a good thing in my opinion). So it should be changed to something like 60s and 70s which I verified is accepted on an RB760iGS with 7.4. (I have reset to 20s and 10m and disabled, this is in my home and I own it).

I also verified that it asks for you to press the button (but doesn't say which one, I assume reset) if you use /system/routerboard/settings/print and that it reverts to disabled if you don't press the button (both with the 6.47.10 and 7.4 bootloader firmware on the RB760iGS.

I can fix the Mikrotik Routerboard
exposed to the bootloader without losing the license. all types of direct proxy in the hardware section immediately sent to me in Indonesia