RouterBOOT is MikroTik's closed source bootloader. See the Mikrotik documentation for details.

The information contained in this page is based on reverse engineering experiments and may not be fully accurate.

Version 6.46.4 on RB493G

Routerboot will load an ELF binary under the following conditions:

  • 0x8000-0000 ⇐ load address < 0x8070-0000
  • load address + size < 0x8070-0000

Any other value will trigger a « kernel is out of range » error. Thus only 7MB is available to load an ELF binary from TFTP.

The load address doesn’t seem to have to satisfy any wide alignment: 0x802D-1BC4 was successfully loaded.

RouterBOOT seems to honor the entry point address (TBC).

It also appears that RouterBOOT tftp routine loads at offset 0x80A0-0000


The standard self-decompressing kernel is linked at a load address that starts after the decompressed kernel (it is computed in arch/mips/boot/compressed/calc_vmlinuz_load_addr): it's thus not suitable because it makes the problem worse.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/10/30 13:06
  • by bikepunk