Repository files navigation

• After the Margin Research findings were published about MikroTik routers, the company removed all download links to their older firmware. The only versions available for download are those that are not vulnerable to the Margin Research exploit. Historically, MikroTik has been very unfriendly to security researchers and jailbreaks of their routers. They go to great lengths to ensure little is known about how these devices actually function. Most of the public information regarding MikroTik internals come from security researches like Margin Researchhttps://margin.re/pulling-mikrotik-into-the-limelight-2/, and Jacob Baineshttps://github.com/jacob-baines.

• As a researcher myself, I often want to download an older firmware image to flash onto a device, however finding older .npk files is increasingly difficult as the years progress. A Reddit user smileymattj realized that MikroTik didnt actually remove the old .npk files from their website, they simply removed the download link to them. Thus, if you were to take a download link to a new version and swap out the newer version with an older one you could download the older .npkhttps://www.reddit.com/r/mikrotik/comments/1dfvguh/archive_of_routeros_versions/
• MikroTik had a few variations in their URL scheme depending on what branch you were pulling from (stable, long-term, development, testing), however with a bit of massaging I was able to figure out their url schemes. They additionally used a slightly different url for their x86 .npk files.

• Short answer no. MikroTik makes it very difficult to backdoor their .npk files as Margin Research explainshttps://margin.re/pulling-mikrotik-into-the-limelight-2/.
• Additionally I am releasing the tool I used to pull their repo of .npk files. If you want to check if an .npk in this repo is backdoored simply use the tool to pull the identical version and compare SHA-256 hashes :)

• Its pretty simple it has two modes of operation, either pull all version from a particular branch, or pull one version.

python3 npk_downloader.py --helpusage: npk_downloader.py [-h] [-a | -s]options:  -h, --help    show this help message and exit  -a, --all     Download all .npk files from a specific branch  -s, --single  Download single .npk file from a branch

• Simply pick the branch, version and architecture you wish to pull. I have built out the valid versoin from the MikroTik changelogs.

python3 npk_downloader.py -sDownloading single .npk file from True1 arm2 arm643 mipsbe4 mmips5 smips6 tile7 ppc8 x86[+] Select your arch: 11 Long-term release tree2 Stable release tree3 Testing release tree4 Development release tree[+] Select your branch: 1[+] Type the version you want6.49.10, 6.49.8, 6.48.7, 6.48.6, 6.48.5, 6.47.10, 6.47.9, 6.46.8, 6.46.7, 6.45.9, 6.45.8, 6.44.6, 6.44.5, 6.43.16, 6.43.15, 6.43.14, 6.43.13, 6.42.12, 6.42.11, 6.42.10, 6.42.9, 6.40.9, 6.40.8, 6.40.7, 6.40.6, 6.39.3, 6.38.7, 6.37.5, 6.37.4, 6.34.6, 6.34.5, 6.32.4, 6.32.3, 6.30.4, 6.30.2, 6.30.1>>> 6.48.6 [+] Target url:https://download.mikrotik.com/routeros/6.48.6/routeros-arm-6.48.6.npk[+] Status Code: 200╰─⠠⠵ ls *.npkrouteros-arm-6.48.6.npk

• Simply run the tool with the-a option and select the branch you wish to rip. Again the valid version were built from the MikroTik changelogs.

python3 npk_downloader.py -a1 Long-term release tree2 Stable release tree3 Testing release tree4 Development release tree[+] Select your branch: 2

• The easiest way to examine the firmware is to dump it withbinwalk
• Simply runbinwalk -e routeros.npk
• This command will extract the filesystem and you will have access to the MikroTik binaries for security research.

• If you find a version missing, please let me know with the Pull Request, and I will do my best to find it for you!