Recovering from disabled password recovery might not be possible

IOS release 12.3T (and 12.4) introduced a great security feature: the ability to disable password recovery (using the well-known break key sequence) with the no service password-recovery global configuration command. However, once you configure this feature on some routers, you might have no means whatsoever to get it under control if you forget the password.

The IOS documentation states that you should be able to erase NVRAM (thus losing the config, but protecting the password integrity) if you press the break key a few seconds after the Image text-base: 0x........, data-base: 0x........ message appears. Unfortunately, that does not work on the router I've been doing my tests on (2811 with c2800nm-advipservicesk9-mz.124-6.T.bin and ROMMON Version 12.4(1r)). There was simply no way to erase NVRAM, so the router would remain locked up if I had really forgotten the enable password.

Note: After my tests, I was told that pressing the break key as soon as the router is powered up might work.

Moral of the story: test whether you can recover the router with your particular combination of IOS/ROMMON versions before disabling password recovery (and forgetting the password).


  1. Hello, Ivan!

    I have also tried recently (last week) to delete the startup-config from a Cisco 837 router who had the "no service password-recovery" feature activated, but there was no way whatsoever to send BREAK to the poor thing.

    Unfortunately the NVRAM is emulated in flash memory (onboard, ofcourse) so i couldn't erase it.

    I have also tried setting a jumper on all possible positions on the 10 motherboard pair of pins but it still loaded the startup-config from the NVRAM :)

  2. I assumed you opened a service request with Cisco for that issue, right Ivan ? :)
    Interesting. I have some devices that should support the "no service password-recovery" functionality. I'll give it a try and report back the results.
  3. @Bluedemon: Absolutely :*) Come on ...
  4. I am too scare to's because I don't have a spare router to lose in case I screw up.

  5. the bug (break being ignored after IOS is booted) seems to manifest because IOS checks for the break only in the first 5 seconds when the IOS is initialized.

    it seems that this process (ios init) takes more than 5 seconds on some platforms/images (roughly 6 seconds on 837 ;-) and the break arrives too late.

    the cisco workaround was to increase this interval to 10 seconds in newer images.

    i guess you just need to RMA the affected router, if you have no access to enable...
  6. This is something that I ran into with a router I bough on ebay ... I solved my issue by removing the NVRAM chip from the router which forces it to boot in ROM MON, then changed the confreg, then put the NVRAM chip back in, and not only did I have a password recovery, I was able to pull the entire config from the previous Co-Lo that was on the router.
  7. Ivan, have you got any useful answer from Cisco TAC?
  8. I haven't opened a case (the whole TAC thread was a joke ;). In my case, it would have been a theoretical question (I didn't have a locked-up router) and I would not want to waste TAC engineers' time, I guess there are plenty of other people doing that already.
  9. Hi Ivan,

    Actually we has this feature in our routers long before 12.3 or 12.4 it was simply a 'hidden' command. In fact it date's back to before 11.2 code ;-) ... email me a show tech so that I can emulate is the's an old 2620 with 12.0(7) with the feature enable from a write-up I did back in 2001:

    Cisco Internetwork Operating System Software
    IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
    Copyright (c) 1986-1999 by cisco Systems, Inc.
    Compiled Tue 07-Dec-99 07:11 by phanguye
    Image text-base: 0x80008088, data-base: 0x8107A5D0


    Do you want to reset the router to factory default configuration and proceed [y/n] ? y

    Reset router configuration to factory default.
  10. I have a Cisco 1841 and nothing I can do will reset the password.

    All the breaks in the world, right after the image loads, before it every other time you can imagine.

    I am going down two avenues:

    1. Find out which chip on the mother board is the NVRAM and physically unsolder it.

    2. Write my own IOS that when loaded erases the NVRAM.

    Both options will probably result in the box being a doorstop for the rest of eternity :-)
  11. There's a procedure used to "unbrick" some Linksys routers running Linux.

    It involves shorting a couple of pins of the onboard flash, rendering it unusable. The router can then be accessed via its recovery mechanism.

    I wonder if something similar couldn't be tried here? Ground a pin that's critical for reading NVRAM?

    Obviously there is some risk, but if you're starting with an unusable router anyway...

    And it's certainly preferable to unsoldering!

    The Linksys procedure can be found by googling: wrt "pin 15 and 16"
  12. i have 1 2811 router i forgeted my show error "password recovery functionality is disabled"please tell me how to rectify this error
  13. Ok guy... This is a old old post but my friend is google and it told me that the friend of is friend of is friend... that is cisco I think??? told that since some age... " "... I don't know but that work...
  14. The point of the post is quite simple: Sometimes specific ROMMON versions do not work as described by Cisco's documentation, so it's best to check whether the recovery really works before disabling password recovery and forgetting the password ;)
    this works
  16. i had this issue with an 1841, and i couldn't seem to time the Break correctly, so it wasn't give me the option to clear the config.
    So i alternately pressed <break>, then <ctrl-break> every second, as soon as the router powered on.
    Crude, but it worked.</ctrl-break></break>
  17. thank SD!!! pressed ctrl+break every second and working
  18. CTRL+BREAK worked on my 887 router, just needed to be very quick, was only 1-2second time window after boot to send the command. THANKS!
  19. If you are using a USB->serial adapter and can't get a break to work, more than likely the adapter is not sending it correctly. I spend over an hour trying it with one adapter and failing, changed to another brand's adapter and it worked first try.
  20. ctrl-break worked for me on a 1721, answer yes then no then reboot. You should be able to get into rommon like normal.

    I think you need ctrl-break depending on your serial port/console client setup.
    1. Also, it did not erase the config. I was able to see the old config, that the previous owner left on the device. You should always erase the nvram before excessing as this command does not really secure it.
  21. I had a similar problem with a Cisco 1803 today. It had IOS 12.3 on it. There was no way to get into ROMMON-mode (break did not work). I started it with another flash card with IOS 15.1 for 1800-series on it. The nvram was apparently unreadable for this IOS version, so it "reformatted" it for me. Booting again with the original flash-card showed me that the NVRAM was indeed reset to empty, and I rescued my eBay bargain... ;-)
  22. I have a 12.4(15)T8 running CISCO2811 here that was locked too.. i have pressed CTRL BREAK every second also and it worked :

    Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)
    Technical Support:
    Copyright (c) 1986-2008 by Cisco Systems, Inc.
    Compiled Mon 01-Dec-08 15:27 by prod_rel_team
    Image text-base: 0x400AA4B0, data-base: 0x439C1670

    Do you want to reset the router to factory default
    configuration and proceed [y/n] ?
    Reset router configuration to factory default.

    This product contains cryptographic features and is subject to United
  23. Hi to all,
    I have a Cisco 1921, with Version 15.1(4)M2, adn it doesn't work.
    Please help ME.

  24. Same problem with a c1803 running IOS 12.3(8).

    Booted with a CF with IOS 15.1
    Entered erase /all nvram:

    And now OK !
  25. If you press multiple times control break at start-up, eventually the rommon> prompt will appear. I tried this with more 28xx routers.
  26. Getting into rommon is Easy on my 2811. However if I change the confreg and reset, the router just boots over and over, I can never get past that. Getting into rommon is easy, but changing the register results in a total failure to boot. The password recovery procedure does not work for me at all... I've had to recover hundreds of ciscos for the last 20 years, but this is the first time I have failed.
  27. Here's how I had success with several 1841's running ADVSECURITY version 12.4(15)T6.

    Send break sequences in this section of the boot.
    Self decompressing the image : #################################################################################################################################### [OK]

    IOMEM (..output suppressed..)
    PMEM allocated:(..output suppressed..)

    Begin sending the break sequences about once per second, right before the "[OK]" appears, and keep doing it until the line with "PMEM allocated:" appears.

    Also, today we broke a 1921 with same problem, by sending the break on or near the '[OK]' as the image finishes decompressing.

    Nathan O.

  28. I had to break 1921's today. The break window is smaller than for the 1841.
    My teraterm macro (or my finger) waits to send ONLY one break sequence about 1/10 of a second after the line containing: "Rounded IOMEM" appears on the console.

    This string appears a fraction of a second before the "Restricted Rights Legend" boiler-plate text appears.

    My timing (even using the macro) still fails about half the time. Good luck!

    Nathan O.
  29. Hi,
    I have a Cisco Router 1751v with the same issue: "PASSWORD RECOVERY FUNCTIONALITY IS DISABLED".

    The Ctrl/Break does not work neither when using HyperTerminal or Putty. I've tried it also with MobaXTerm, same issue.

    Does anyone know what else could I try to reset the router to the default settings?

    Thank you in advance!
  30. It's all to do with your Console connectivity. Using a USB-Serial converter didn't work for me. I had to dig out an old PC from the basement and use the cisco console cable direct to the com port. Worked first time then. When logged in (no pwd), I ran the service password-recovery command and rebooted my C2811. All fixed.
  31. This works only if you use some old IOS (for example: c1841-advipservicesk9-mz.124-24.T4.bin)
    It doesnt work when I had 15.1 IOS in FLASH
  32. I was just doing this on a 1901 with IOS Version 15.0(1)M3. Hope this helps someone.

    Wait for the following to be displayed:

    Rounded IOMEM up to: 40Mb.
    Using 7 percent iomem. [40Mb/512Mb]


    Do you want to reset the router to factory default
    configuration and proceed [y/n] ?


    Let boot

    Router#write erase
    Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
    Router#conf t
    Router(config)#service password-recovery
    System configuration has been modified. Save? [yes/no]: y
    Building configuration...
    Proceed with reload? [confirm]

