Community discussions

MikroTik App
 
LukasSVK
newbie
Topic Author
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

How can i verify ros before reboot?

Mon Jun 04, 2012 5:14 pm

Hi, i have question about ROS manual download verification. In cisco IOS can do
router# verify /md5 disk0:c7301-jk9s-mz.124-10.bin 0c5be63c4e339707efb7881fde7d5324
or better
router#verify disk0:c7301-jk9s-mz.124-10.bin
Verifying file integrity of disk0:c7301-jk9s-mz.124-10.bin
.....<output truncated>.....Done!
Embedded Hash MD5 : 0C5BE63C4E339707EFB7881FDE7D5324
Computed Hash MD5 : 0C5BE63C4E339707EFB7881FDE7D5324
CCO Hash MD5 : AD9F9C902FA34B90DE8365C3A5039A5B

Signature Verified

+ file verify auto (after copy or reload)

Has ROS these features? Or can i somehow compute md5 hash in ROS?

Thanks L.
 
User avatar
cbrown
Trainer
Trainer
Posts: 1840
Joined: Thu Oct 14, 2010 8:57 pm
Contact:

Re: How can i verify ros before reboot?

Mon Jun 04, 2012 5:47 pm

You can get the md5 from the Mikrotik download page. RouterOS also verifies the package before upgrading.
You do not have the required permissions to view the files attached to this post.
C.Brown

cbrown[at]ravenrocknetworks.com
MTCNA - MTCRE - MTCWE - MTCTCE
MTCSE - TRAINER-0179
 
LukasSVK
newbie
Topic Author
Posts: 40
Joined: Tue Dec 07, 2010 1:57 am
Location: Bratislava, Slovakia

Re: How can i verify ros before reboot?

Mon Jun 04, 2012 6:35 pm

Yes, i know, but what if md5sum is wrong? I reboot router and then?

Can i verify before reboot?

Edit: When i upload npk package to the router, how a i can verify that package is ok and md5sum is correct? (before reboot via terminal or winbox)

Thanks L.
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: How can i verify ros before reboot?

Tue Jun 05, 2012 6:09 am

Yes, i know, but what if md5sum is wrong? I reboot router and then?
Presumably it reboots without doing the upgrade.
 
User avatar
c0d3rSh3ll
Long time Member
Long time Member
Posts: 558
Joined: Mon Jul 25, 2011 9:42 pm
Location: [admin@Chile] >

Re: How can i verify ros before reboot?

Wed Jun 06, 2012 5:40 am

system check-installation

I don't know a method of check md5sum in routerOS as in cisco IOS
nothing
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: How can i verify ros before reboot?

Wed Jun 06, 2012 8:50 am

system check-installation

that will check current installation not the uploaded npk files. __Currently__ there it is not possible to do that without reboot.
 
Devil
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Jul 21, 2011 9:13 am

Re: How can i verify ros before reboot?

Wed Jun 06, 2012 12:00 pm

Yes, i know, but what if md5sum is wrong? I reboot router and then?

Can i verify before reboot?

Edit: When i upload npk package to the router, how a i can verify that package is ok and md5sum is correct? (before reboot via terminal or winbox)

Thanks L.
As i understand, your concern is the router being rebooted and not coming back, because the npk package was corrupted. is this correct? As mentioned by 'cbrown', the router verifies the file right after the reboot and before upgrading. so it would only make sense that it would stop upgrading if it couldn't verify the integrity of the npk package. its quite easy to test actually. though i can't afford testing it at the moment but one could open the .npk file with an hex-editor and edit couple of bytes, upload the npk file to the router, setup the serial port so he could see whats happening, and restart the router...
Best Regards
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: How can i verify ros before reboot?

Wed Jun 06, 2012 12:08 pm

well, RouterOS ensures that packages uploaded can be used for the arch and are not damaged. Only after that upgrade is done if packages are ok.
 
User avatar
c0d3rSh3ll
Long time Member
Long time Member
Posts: 558
Joined: Mon Jul 25, 2011 9:42 pm
Location: [admin@Chile] >

Re: How can i verify ros before reboot?

Wed Jun 06, 2012 8:31 pm

but not check with md5sum or similar method if routerOS has not modified.

routerOS check if architecture is correct and package .npk is not broken.
nothing
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: How can i verify ros before reboot?

Sat Jun 09, 2012 7:54 pm

Seriously, give the Microtik guys some credit. They're not stupid. How exactly do you think they're checking that the packages "are not damaged" other than by using some kind of strong hash code (MD5, SHA, ...)?

Unless you've tested and proven this yourself claiming that they're "not check with md5sum or similar method" is a baseless accusation of incompetence verging on malpractice.
but not check with md5sum or similar method if routerOS has not modified.

routerOS check if architecture is correct and package .npk is not broken.
 
Devil
Member Candidate
Member Candidate
Posts: 170
Joined: Thu Jul 21, 2011 9:13 am

Re: How can i verify ros before reboot?

Sun Jun 10, 2012 9:33 am

It's probably more than just some hash verification. a lot of firmwares are signed with the manufactures master code. and unless the device could verify the signature, it wouldn't do the upgrade. i wouldn't be surprised if that was the case with mikroik firmwares as well. that being said, being able to see the md5 hashes on stored files in routeros might come handy. but i don't think it's a priority. If someone's really that concern that everything together might go wrong including somehow a .npk package, could only be partially uploaded or being written exactly on a bad sector and then after restart, the router would stop working cause there might be a bug or something in firmware verification check done by the router, he could just upload the .npk package first, then download the uploaded package from the router, check the md5 hash to make sure the package still has the right hash even after uploading to the router, and then restart the router.
I mean you gotta stop being worried at some point. even if they implement manual md5 hash checking for routeros files, the next thread would be 'what if that partially uploaded .npk package, ends up having the same md5 hash as the original one?'
Best Regards
 
tjc
Member Candidate
Member Candidate
Posts: 279
Joined: Sun Jul 10, 2011 3:08 am

Re: How can i verify ros before reboot?

Sun Jun 10, 2012 5:28 pm

It's probably more than just some hash verification. a lot of firmwares are signed with the manufactures master code.
Digital signatures either involve encrypting the whole file, or more commonly using a hash which is then encrypted. See the History section here: http://en.wikipedia.org/wiki/Digital_signature Also, strong hashes use crypto techniques anyway to minimize the chances of collisions and thus undetected errors, which is why all of the modern ones come from crypto researchers. Either way it's kind of "a rose by any other name".

A bit of research on npk reveals a lightweight packaging system http://code.google.com/p/npk/ which uses a block cipher called xxtea (http://en.wikipedia.org/wiki/XXTEA) for content verification. The wiki page doesn't include enough details to tell how they're using it, or if MicroTik's npk is the same.
 
robertik
just joined
Posts: 10
Joined: Tue Dec 04, 2012 2:45 pm

Re: How can i verify ros before reboot?

Thu Jan 16, 2014 7:53 pm

Lately we had some issues with 6.6 packages.
We where uploading routeros-mipsbe-6.6.npk file, but after reboot most of the packages was missing - only system package was installed.
In log files we had error that verification of package was unsuccessful.

Who is online

Users browsing this forum: freemannnn, Majestic-12 [Bot], robs and 149 guests