Recovering from disabled password recovery might not be possible

IOS release 12.3T (and 12.4) introduced a great security feature: the ability to disable password recovery (using the well-known break key sequence) with the no service password-recovery global configuration command. However, once you configure this feature on some routers, you might have no means whatsoever to get it under control if you forget the password.

The IOS documentation states that you should be able to erase NVRAM (thus losing the config, but protecting the password integrity) if you press the break key a few seconds after the Image text-base: 0x........, data-base: 0x........ message appears. Unfortunately, that does not work on the router I've been doing my tests on (2811 with c2800nm-advipservicesk9-mz.124-6.T.bin and ROMMON Version 12.4(1r)). There was simply no way to erase NVRAM, so the router would remain locked up if I had really forgotten the enable password.

Note: After my tests, I was told that pressing the break key as soon as the router is powered up might work.

Moral of the story: test whether you can recover the router with your particular combination of IOS/ROMMON versions before disabling password recovery (and forgetting the password).

27 comments:

  1. Sorin CONSTANTINESCU05 December, 2007 13:06

    Hello, Ivan!

    I have also tried recently (last week) to delete the startup-config from a Cisco 837 router who had the "no service password-recovery" feature activated, but there was no way whatsoever to send BREAK to the poor thing.

    Unfortunately the NVRAM is emulated in flash memory (onboard, ofcourse) so i couldn't erase it.

    I have also tried setting a jumper on all possible positions on the 10 motherboard pair of pins but it still loaded the startup-config from the NVRAM :)

    Regards,

    ReplyDelete
  2. I assumed you opened a service request with Cisco for that issue, right Ivan ? :)
    Interesting. I have some devices that should support the "no service password-recovery" functionality. I'll give it a try and report back the results.

    ReplyDelete
  3. @Bluedemon: Absolutely :*) Come on ...

    ReplyDelete
  4. I am too scare to try...it's because I don't have a spare router to lose in case I screw up.

    :^)

    ReplyDelete
  5. the bug (break being ignored after IOS is booted) seems to manifest because IOS checks for the break only in the first 5 seconds when the IOS is initialized.

    it seems that this process (ios init) takes more than 5 seconds on some platforms/images (roughly 6 seconds on 837 ;-) and the break arrives too late.

    the cisco workaround was to increase this interval to 10 seconds in newer images.

    i guess you just need to RMA the affected router, if you have no access to enable...

    ReplyDelete
  6. This is something that I ran into with a router I bough on ebay ... I solved my issue by removing the NVRAM chip from the router which forces it to boot in ROM MON, then changed the confreg, then put the NVRAM chip back in, and not only did I have a password recovery, I was able to pull the entire config from the previous Co-Lo that was on the router.

    ReplyDelete
  7. Ivan, have you got any useful answer from Cisco TAC?

    ReplyDelete
  8. I haven't opened a case (the whole TAC thread was a joke ;). In my case, it would have been a theoretical question (I didn't have a locked-up router) and I would not want to waste TAC engineers' time, I guess there are plenty of other people doing that already.

    ReplyDelete
  9. Hi Ivan,

    Actually we has this feature in our routers long before 12.3 or 12.4 it was simply a 'hidden' command. In fact it date's back to before 11.2 code ;-) ... email me a show tech so that I can emulate is the hardware....btw...here's an old 2620 with 12.0(7) with the feature enable from a write-up I did back in 2001:

    Cisco Internetwork Operating System Software
    IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
    Copyright (c) 1986-1999 by cisco Systems, Inc.
    Compiled Tue 07-Dec-99 07:11 by phanguye
    Image text-base: 0x80008088, data-base: 0x8107A5D0

    PASSWORD RECOVERY IS DISABLED.

    Do you want to reset the router to factory default configuration and proceed [y/n] ? y

    Reset router configuration to factory default.

    ReplyDelete
  10. I have a Cisco 1841 and nothing I can do will reset the password.

    All the breaks in the world, right after the image loads, before it every other time you can imagine.

    I am going down two avenues:

    1. Find out which chip on the mother board is the NVRAM and physically unsolder it.

    2. Write my own IOS that when loaded erases the NVRAM.

    Both options will probably result in the box being a doorstop for the rest of eternity :-)

    ReplyDelete
  11. There's a procedure used to "unbrick" some Linksys routers running Linux.

    It involves shorting a couple of pins of the onboard flash, rendering it unusable. The router can then be accessed via its recovery mechanism.

    I wonder if something similar couldn't be tried here? Ground a pin that's critical for reading NVRAM?

    Obviously there is some risk, but if you're starting with an unusable router anyway...

    And it's certainly preferable to unsoldering!

    The Linksys procedure can be found by googling: wrt "pin 15 and 16"

    ReplyDelete
  12. i have 1 2811 router i forgeted my password.it show error "password recovery functionality is disabled"please tell me how to rectify this error

    ReplyDelete
  13. Ok guy... This is a old old post but my friend is google and it told me that the friend of is friend of is friend... that is cisco I think??? told that since some age... " http://www.ict-partner.net/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html "... I don't know but that work...

    ReplyDelete
  14. Ivan Pepelnjak26 March, 2010 15:24

    The point of the post is quite simple: Sometimes specific ROMMON versions do not work as described by Cisco's documentation, so it's best to check whether the recovery really works before disabling password recovery and forgetting the password ;)

    ReplyDelete
  15. http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html#wp1062060
    this works

    ReplyDelete
  16. i had this issue with an 1841, and i couldn't seem to time the Break correctly, so it wasn't give me the option to clear the config.
    So i alternately pressed <break>, then <ctrl-break> every second, as soon as the router powered on.
    Crude, but it worked.</ctrl-break></break>

    ReplyDelete
  17. thank SD!!! pressed ctrl+break every second and working

    ReplyDelete
  18. CTRL+BREAK worked on my 887 router, just needed to be very quick, was only 1-2second time window after boot to send the command. THANKS!

    ReplyDelete
  19. If you are using a USB->serial adapter and can't get a break to work, more than likely the adapter is not sending it correctly. I spend over an hour trying it with one adapter and failing, changed to another brand's adapter and it worked first try.

    ReplyDelete
  20. ctrl-break worked for me on a 1721, answer yes then no then reboot. You should be able to get into rommon like normal.

    I think you need ctrl-break depending on your serial port/console client setup.

    ReplyDelete
    Replies
    1. Also, it did not erase the config. I was able to see the old config, that the previous owner left on the device. You should always erase the nvram before excessing as this command does not really secure it.

      Delete
  21. I had a similar problem with a Cisco 1803 today. It had IOS 12.3 on it. There was no way to get into ROMMON-mode (break did not work). I started it with another flash card with IOS 15.1 for 1800-series on it. The nvram was apparently unreadable for this IOS version, so it "reformatted" it for me. Booting again with the original flash-card showed me that the NVRAM was indeed reset to empty, and I rescued my eBay bargain... ;-)

    ReplyDelete
  22. I have a 12.4(15)T8 running CISCO2811 here that was locked too.. i have pressed CTRL BREAK every second also and it worked :

    Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2008 by Cisco Systems, Inc.
    Compiled Mon 01-Dec-08 15:27 by prod_rel_team
    Image text-base: 0x400AA4B0, data-base: 0x439C1670


    PASSWORD RECOVERY IS DISABLED.
    Do you want to reset the router to factory default
    configuration and proceed [y/n] ?
    Reset router configuration to factory default.

    This product contains cryptographic features and is subject to United

    ReplyDelete
  23. Hi to all,
    I have a Cisco 1921, with Version 15.1(4)M2, adn it doesn't work.
    Please help ME.

    Alessandro

    ReplyDelete
  24. Same problem with a c1803 running IOS 12.3(8).

    Booted with a CF with IOS 15.1
    Entered erase /all nvram:

    And now OK !

    ReplyDelete
  25. If you press multiple times control break at start-up, eventually the rommon> prompt will appear. I tried this with more 28xx routers.

    ReplyDelete
  26. Getting into rommon is Easy on my 2811. However if I change the confreg and reset, the router just boots over and over, I can never get past that. Getting into rommon is easy, but changing the register results in a total failure to boot. The password recovery procedure does not work for me at all... I've had to recover hundreds of ciscos for the last 20 years, but this is the first time I have failed.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.