-
prepare an empty micro sd card (2GB or above)
-
use https://github.com/0ki/mikrotik-tools/blob/master/exploit-defconf/make_usb.sh to "format && prepare" the micro sd card, like this:
./make_usb.sh /dev/sdb
-
when finished, plugin the micro sd card into the RB450Gx4 (you need open the outside iron box, and the sdcard slot is on the circuit board)
-
make sure the your pc can connect to the RB450Gx4 (and the sshd service is open)
-
execute the https://github.com/0ki/mikrotik-tools/blob/master/exploit-defconf/second_stage.sh , you'll asked to input the device ip and possible password if you have set.
-
waiting for the device reboot, you'll login the root shell automatically.
-
upload the busybox (https://busybox.net/downloads/binaries/1.28.1-defconfig-multiarch/busybox-armv7l) and give it executable permission, you can do whatever you want.
Notes: when you reboot the device, the root shell is gone, you need execute the second_stage.sh script again. and don't remove the sd card.
my device partition layout:
# cat /proc/mtd
dev: size erasesize name
mtd0: 00800000 00040000 "RouterBoard NAND 1 Boot"
mtd1: 1f800000 00040000 "RouterBoard NAND 1 Main"
mtd2: 00040000 00001000 "RouterBoot"