I am shipping a configured vanilla RouterBoard 850Gx2 to a customer and I want to ensure that if the router ends up in the wrong hands that only the hardware is stolen. In other words, I want to ensure the best possible protection for the /system scripts which contains secret keys, etc. I read in another post where someone commented "You can boot anything using Netinstall, not just RouterOS installer. You can boot Linux there, login via ssh and read whatever is stored on the NAND chip. Protected RouterBOOT prevents all that." With this information I configured my RouterBoard 850Gx2 with the below settings using Netinstall and my Configure Script.

My Configure Script:

/system console disable [find]

/system routerboard settings{
set boot-device=nand-only
set protected-routerboot=enabled
set baud-rate=off
}

Having done that, I am still able to access the console for the RouterBoot as shown below and I am even able to change the boot device.

So my questions are:

1. Are my /system scripts protected (I don't care about someone running off with the hardware. I want to know that my scripts cannot be read.)?

2. Is it working properly where I can change the boot-device from the serial console when I specifically stated "nand-only" in my script?

3. Is there any way to completely disable all messages from the serial console as if there were no serial hardware?

3. What do I look for to know that protected-routerboot is actually working?

4. Are there any configuration to further secure the RouterBoard 850Gx2?


Hardware Information:

RouterBoard 850Gx2
RouterOS 6.40.8 (Bugfix)
RouterBOOT booter 3.24
RouterBOOT booter backup 3.24

This is what I can still see configure on the serial console:

RouterBOOT-3.24
What do you want to configure?
d - boot delay
k - boot key
s - serial console
n - silent boot
o - boot device
f - cpu frequency
r - reset booter configuration
e - format nand
w - repartition nand
g - upgrade firmware
i - board info
p - boot protocol
b - booter options
m - smp options
x - exit setup

Select boot device:
e - boot over Ethernet
* n - boot from NAND, if fail then Ethernet
1 - boot Ethernet once, then NAND
o - boot from NAND only
b - boot chosen device
f - boot Flash Configure Mode
3 - boot Flash Configure Mode once, then NAND

It seems like something is not right because this article (https://wiki.mikrotik.com/wiki/Manual:R ... D_settings) states that "protected-routerboot=enabled will disable any access to the RouterBOOT configuration settings over a console cable and disables operation of the reset button to change the boot mode (Netinstall will be disabled). Access to RouterOS will only be possible with a known RouterOS admin password. Unsetting of this option is only possible from RouterOS. If you forget the RouterOS password, the only option is to perform a complete reformat of both NAND and RAM with the following method, but you have to know the reset button hold time in seconds." It further states that "Any user input from serial port is ignored. Etherboot is not available, RouterBOOT setting change is not possible." Finally, it also makes note that "The backup RouterBOOT version can not be older than v3.24 version."

Yet, I am using version 3.24 and...
I can view and change settings over the serial port console.
I can change the RouterBoot settings.

What am I doing wrong?

Is an old post... but in case that you need to do the same in the future: https://wiki.mikrotik.com/wiki/Manual:F ... ot_applied

Another thing that might be failing is the script, but i'm not sure. I'd remove the brackets {}, I think that are unnecessary... but maybe I'm wrong.