Disabling failsafe

I've searched for this topic but the posts were very old with no clear answer. I want to disable failsafe on (multiple) devices without having to use the image builder to build an entire new image. If it is a patch or package can you give me the basic commands on patching it or the package name/repo for compiling it?
Thanks for your time.


I want to stick to the question above. Everything below is extra details for you:

On a couple of these devices I can easily build a custom image without failsafe, but on my other devices already deployed hundreds of miles away, I heavily prefer to use an official release because I can't troubleshoot it locally and will always have an active repository at my disposal (for changes I might make in the future just like this one). I don't care if I have to redo this step after every sysupgrade or fresh install because I'll add it in my own personal install script.

I simply don't need failsafe if I can reset the device because I have every config file and key I need securely saved offline (and updated on every change) . In most cases for myself, it is an unnecessary security risk and I've actually never used it once. In addition to resetting the device, on the remotely deployed devices I have 2 partitions so if one goes down, I can have someone boot to the other partition manually using the power switch (3 on / 3 off) and I can reflash the bad partition later. Lastly and least importantly, my most recent devices have a removable SD card so I don't need failsafe if i can just remove my SD and edit the files from there (sure, it's more complicated than this). I know that this is just as insecure to have an SD with my files on it, but having failsafe is a redundancy I don't need in this specific case.

The only way to disable failsafe is to build your own images. This is because the failsafe boot process is reading out of ROM before any of the RW storage has been mounted. As such, any config files you might edit or packages you might install/uninstall in a running system would only affect the RW partition and would not be able to affect (i.e. stop in this case) the failsafe boot up.

The only reason, IMO, that it would be useful to disable failsafe would be if you are concerned about the potential for it to be used as an attack surface for someone to access the router. They would need to have physical access first, so the only value here would be if the router is in a location that is not secured/trusted.

Failsafe is obviously useful for a variety of purposes, and those extend beyond the idea that you could lose the password/key files... a bad configuration change or package installation/removal/upgrade could also put the router in a state where having a functional failsafe mode can be the only easy recovery method. Since your devices have 2 partitions, that does decrease the likelihood of an issue, but if both partitions end up in an unbootable state, you might regret not having failsafe. Yes, for the devices with removable media, you do have a bit of a safety factor there because, as you mention, removing the SD card often can solve the problem. But this is actually really similar to failsafe booting, when you think about it -- physical access is required, but an attacker would simply remove the SD card and gain access to the router (unless you also have the non-SD card context also password/key protected), and if they have access to the SD card, they could also just remove it and insert it into a linux box and read/modify files as they see fit.

So, to your original question -- you need to build your own images. And the takeaway, at least IMO, is that the drawbacks outweigh the benefits of removing failsafe booting AND are only an issue if the device is physically accessible by potential attackers.

3 Likes

I only live near a few of these devices. Being physically secure; I do my best job.