⚠️ WARNING – Illegal Software & Security Risk

[ashway83]

This repository distributes patches and license generators for MikroTik RouterOS, which is:

• Illegal – violates MikroTik's EULA and copyright law
• Dangerous – unverified binaries on network hardware are a common vector for trojans and backdoors.

Besides the illegal nature of bypassing licensing mechanisms in RouterOS, of particular concern is the repository’s CI workflow behavior. For example, the GitHub Actions workflow appears to download a password-protected 7z archive, which is subsequently extracted and injected into a firmware image during the build process. The use of encrypted archives in automated pipelines significantly reduces transparency and makes independent verification of the payload content and its behavior difficult or impossible, increasing the risk of concealed malicious components being introduced into the resulting firmware.

https://github.com/elseif/MikroTikPatch/tree/main/.github/workflows/mikrotik_patch_7.yml

    - name: Get loader patch files
      if: steps.get_latest.outputs.has_new_version == 'true'
      run: |
        wget -nv -O loader.7z https://${{ env.CUSTOM_UPGRADE_URL }}/routeros/loader.7z
        sudo apt-get install -y p7zip-full > /dev/null
        7z x -p"${{ secrets.LOADER_7Z_PASSWORD }}" loader.7z >> /dev/null
        rm loader.7z

Please be aware.

[fragtion]

@ashway83 Thank you for your well-meaning, yet predictably redundant, input. We have noted your profound insights and intellectual contributions, and we will, of course, exercise due caution. You are correct that this repository contains closed-source payloads, and they should understandably be deemed dangerous for sensitive production environments. The reality, however, is that reverse-engineering is the legitimate pathway for software engineers, cybersecurity professionals, and network administrators to scrutinize proprietary systems and unlock their potential in a controlled, home-lab setting - a privilege I am certain you would also appreciate if your actions here were truly based in a genuinely sincere pursuit. Kindly take a moment to reflect on the sheer magnitude of your concern and how profoundly overblown and obsessive it is quickly becoming. Duplicate issues are lame, no matter what your intention or how important you think you are, so your continued intervention is now entirely superfluous.

[ashway83]

@fragtion, thank you for your response.

The duplicate issue was not opened to be disruptive. It was opened because the original issue was closed without addressing the concerns raised. When a report receives no feedback or resolution, reopening the discussion is entirely justified.

On the topic of reverse engineering: I agree it is a legitimate and valuable practice in professional and educational contexts. However, intent and implementation matter. When distributing opaque binary patches - particularly those that modify proprietary systems at a low level - there should be, at minimum, a clear disclaimer outlining the legal boundaries, associated risks, and intended use cases. Without that, the distinction between security research and misuse becomes difficult to establish.

Given the current landscape of software supply chain attacks (as illustrated by incidents involving compromised packages such as Axios, among others), repositories that distribute unverifiable binaries carry elevated risk. By its nature, this project could be leveraged as a delivery vector, whether intentionally or not. That risk alone warrants a higher standard of transparency.

Regarding the implication about my motivations: I have no affiliation with MikroTik or any related entity. My concern is strictly with legality and security. Distributing patches designed to bypass licensing mechanisms - enabling software to be used without payment - is illegal in most jurisdictions, regardless of how it is framed. This is further compounded by release workflows that build and distribute patched RouterOS releases - which constitutes distribution of modified proprietary software, not the responsible disclosure of vulnerabilities discovered through reverse engineering, that you mentioned.

Regarding the “home lab” argument: MikroTik already provides a fair trial period for evaluation, and the cost of a RouterOS license is accessible for most home lab setups.

I raise these points in good faith, grounded in widely recognized principles of cybersecurity and responsible software distribution. Engaging constructively with these concerns would be far more productive than dismissing them outright.