RouterBOOT is MikroTik's closed source bootloader. See the Mikrotik documentation for details.
The information contained in this page is based on reverse engineering experiments and may not be fully accurate.
Routerboot will load an ELF binary under the following conditions:
Any other value will trigger a « kernel is out of range » error. Thus only 7MB is available to load an ELF binary from TFTP.
The load address doesn’t seem to have to satisfy any wide alignment: 0x802D-1BC4 was successfully loaded.
RouterBOOT seems to honor the entry point address (TBC).
It also appears that RouterBOOT tftp routine loads at offset 0x80A0-0000
The standard self-decompressing kernel is linked at a load address that starts after the decompressed kernel (it is computed in arch/mips/boot/compressed/calc_vmlinuz_load_addr): it's thus not suitable because it makes the problem worse.