Disable Factory Reset Button

I am managing a fleet of MAX BR1 via InControl2 and do to unforeseen events desire to have the option via incontrol of each individual BR1 to disable the factory reset button on the router. I have not discovered a GUI option to do this, so is there a CLI command that will perform this task or I would like to make a request to add this option in the next firmware release. Thanks

Hello @rnort,
The factory reset feature is extremely useful and if you are managing the fleet via InControl2 it gives incredible recovery options over all other brands we’ve worked with.

Disabling the reset button does not make your device more secure nor does it reduce the potential that someone may attempt to take the device or change the settings.

Here is the biggest reason to keep the reset button functional, Support.

The Peplink & Pepwave range is well designed for Support remotely, including recovery for accidental miss configuration.

Here is a situation that many have seen. Changes are pushed out to a router and something goes amiss (normally due to human error having changed a setting and not getting the results expected). Now that router is looked out and not accessible remotely and the client’s site is offline. Ops. what to do now? Well, a paper clip is all that is needed and someone able to use that paperclip for you, you simply get the unit factory reset and hey presto (like magic) it will reboot back to InContro2 (with its default settings) and you can restore the last known good working configuration. No need to send your most expensive staff to the site.

There is no way we’d want to see Peplink allowing the disabling of the reset feature and we will actively promote that it remains functional at all times.

There are much better ways to secure your systems and equipment than disabling the reset button.

By the way, we do work with a brand of Security Camera that whenever these units get locked out (such as a lost password), they have to go back to the factor to have the NVRAM replaced, the cost is almost as much as getting a replacement.

Happy to Help,
Marcus :slight_smile:

1 Like

Thanks Marcus appreciate the feedback. But for my purposes and uses for this product line, it is not a priority that the unit can be reset locally. If the router became bricked and unrecoverable, then a new unit would
be purchased and the old destroyed, budget is not a concern.

What I am asking for as an update to the firmware so an option can made available to disable the reset button, its an option that each person can elect to use or not. I have been evaluating this product for company’s
needs’ and so far I am happy for what I need to accomplish, but I am looking at purchasing another 200+ units, but without this option I will have to find another solution.

2 Likes

@rnort

There are 3 ways to factory reset the device:

  1. Via device level Reset Button or LCD panels:

Lower end models:
image

Higher end models:
image

Maintenance
Reboot > Reboot? (Yes/No) (to reboot the unit)
Factory default > Factory default? (Yes/No) (to restore factory defaults)

  1. Via WebAdmin :slight_smile:

  2. Via IC2:

Your request is more on item 1 above for the physical reset button ? Would you able to share more for the concerns and the use case ? More on the physical security concerns ?

2 Likes

At the very least, there should be an option to disable the shorter reset process that allows one to reset the password and port to gain access by holding the button for 5-10 seconds. This is a security concern.

3 Likes

Good point made.

This is similar to a thermostat in an building that is contained within a clear key cover box so people cannot change the temperature who have physical access to the device.

A crude way to enforce security one could put the PepLink in a case of some sort with hole cut outs for the various external components to prevent access to the actual reset button?

1 Like

My 2 cents worth.

Have a strap made of stainless steel with two tabs with holes for a small lock.
Measure the unit… height, depth, times two, and one inch times two for the tabs. Have it made by someone with skills, then wrap it around device covering the reset hole and lock it.
It needs to be made so it clamps tightly when locked.
A small amount of double sided sticky tape between the strap and device will assure it can’t slide.

Dang! Sorry just realized you have lots of devices. Never mind.

1 Like

Hi Team,
We’ve also seen cases where the ability to disable the factory reset on devices would be a great asset. This keeps people with local access and know how that don’t have authority to be making changes from wreaking havoc for IT managers and partners. lease consider adding some option to disable this from the physical reset button.

1 Like

I also agree on this, even though I acknowledge the need and use for it. How about a “special” or"non stock" option. For example click 20 times or something like that well away of the user manual or internet know how.

1 Like

Not to be too facetious, but plugging the reset pinhole with superglue might do the trick.

2 Likes

Hello Everyone,
In many of the higher end models that have the LCD display (such as the Balance 380, 580, 710) for doing a local reset, the reset feature can have a PIN applied. In this situation if the admin password is lost and so is the PIN and the unit is not managed from InControl2, then the unit must be returned to Peplink for restoration of the unit back to factory.
We currently have a customer in that situation, they have lost the admin password & reset pin and the unit is not connected to InControl2 (disabled within router), so they are unable to make any changes.

Without knowing the technical design of the models, here are a couple of possibilities to consider.

  • If the Reset is a hardware initiated process independent of the firmware, then the only option is to block up the reset pin as suggest by @zegor_mjol.
  • If the Reset is a processed based reset done by the firmware, then there may be an option to add an optional additional security layer around this where an additional step needs to be taken using some form of security. What if within the unit you could choose the option to secure the reset with a Reset PIN (between 6 & 16 digits), then if a factory reset is initiated with the reset button, the unit can boot up with an intermediary factory configuration, this configuration would allow a special web admin (with the WANs all on default and LAN set to default) that can also be accessed through InControl2 (if the device has a current subscription) where you have a grace period of say 10 minutes to log into the device and verify the reset PIN to completely reset the device, else the device will reboot back to the previous working configuration.

Just some thoughts.
Happy to Help,
Marcus :slight_smile:

3 Likes

Have not looked this thread in while, but, still have a desire and need to have a software option to disable the reset button. It has to be a software option, right,

a cover, strap , superglue etc can all be bypassed those solutions are great, but they are a physical, and if I had those measures in place and a bad actor gets past the physical security, press the button and viola. having the software option, means they have two factor authentication to get in, to me this seems like a better way to go. Other Networking Equipment manufactures have this option available, So Peplink support what do you say, added security or send me a tube of Pep-Epoxy for free?

1 Like

It appears that password reset can be disabled via the reset in 8.3 fw.
see the release notes
27990 [Beta 1] [Reset PIN] Removed the reset Web Admin password by using reset pin Balance: All (Except 305/380 or above)

https://forum.peplink.com/t/firmware-8.3.0-rc-2/6393159f6ef0d1fe34158eb8/
Would this cover your need?

1 Like

Not exactly, I was talking about the factory reset, I was hoping to have that feature be a option selection to allow the user to physically press the button to place the unit in factory default or press the button and nothing happens, thanks

As a service provider , we have the need to lock the config to prevent accidently reset in the field.
This is not something I would ever encourage an end user to do, but I understand that you are trying to manage a fleet of units, so I’ll let you know what we do.
However I will caution you that when using this method , make 100% that you know what the last locked state is with regards to incontrol2 configured, admin password, login port, ip address range, if dhcp is enabled, etc.
If you don’t know the info , the device can’t be reset anymore and you won’t be able to access it.
The peplink incontrol2 does provide the following and we have used this method in some situations.
https://www.peplink.com/ic2-api-doc/#!post_rest_o_o_g_o_sp_default set to true.
This still doesn’t disable reset, but it puts it back to your specific config instead of true factory default.

You could also put a camera on the device to catch who is resetting it :slight_smile:

3 Likes

if Budget is not a concern, then warranty isn’t either, so then its a simple fix

Open the unit
De-solder the button assembly from the motherboard, takes about 15 seconds to do it
close the box again
Done

if you ever need to reset it, open the box, short the solder points with a flat screwdriver, and there you go.

Factory reset is built into the EPROM bootstrap, even before the bios loads, so unless they would make you a physically new unit without the button (which again can be defeated by just shorting it with a flat head screw driver even if they physically removed it) i don’t see how else they could do it.

Also, as with everything,

If you have unwanted people having physical access to your hardware then you have way bigger problems than them resetting it, you are much better off putting it inside a safe then running the cables out than trying to lock out the pins.