From f2576cf55892618c65fca6a1bff03b35a94acee8 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Mon, 30 Sep 2024 16:10:55 +0200
Subject: packages-update: give warning on lock in device-mode

RouterOS 7.17beta2 introduced some extra security measures, including
some to prevent downgrade attacks for the installation. Detect early
and exit with message and error.

https://help.mikrotik.com/docs/display/ROS/Device-mode
---
 packages-update.rsc | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'packages-update.rsc')

diff --git a/packages-update.rsc b/packages-update.rsc
index b08a48d..b4fab46 100644
--- a/packages-update.rsc
+++ b/packages-update.rsc
@@ -18,6 +18,7 @@
   :global Grep;
   :global LogPrint;
   :global ParseKeyValueStore;
+  :global RequiredRouterOS;
   :global ScriptFromTerminal;
   :global ScriptLock;
   :global VersionToNum;
@@ -99,6 +100,13 @@
 
   :local DoDowngrade false;
   :if ($NumInstalled > $NumLatest) do={
+    :if ([ $RequiredRouterOS $ScriptName "7.17beta2" false ] = true && \
+         ([ /system/device-mode/get ]->"downgrade") != true) do={
+      $LogPrint error $ScriptName \
+          ("The device mode has locked downgrades! You will need physical access!");
+      :error false;
+    }
+
     :if ([ $ScriptFromTerminal $ScriptName ] = true) do={
       :put "Latest version is older than installed one. Want to downgrade? [y/N]";
       :if (([ /terminal/inkey timeout=60 ] % 32) = 25) do={
-- 
cgit v1.2.3-70-g09d2