Last-resort password recovery

Pappyar has sent me an interesting password recovery technique, which can be used in those weird circumstances when you cannot force the router to go to ROMMON (for example, you’ve configured no service password-recovery and the break signal does not work as expected). Unfortunately, his trick works only if you can remove the flash memory from the router (it’s soldered in low-end models):

  1. Turn off the router.
  2. Take out the flash.
  3. Turn on the router.
  4. This time router will take you to ROMMON as it cannot find an IOS image.
  5. Set the configuration register with confreg 0x2142.
  6. Reset (this will change the stored value of the configuration register).
  7. Turn off the router.
  8. Reinsert the flash.
  9. Turn on the router and you are done.

10 comments:

  1. What if we just delete the IOS from the flash? Doesn't it work in this way?
  2. Can you delete IOS from flash if you don't have enable password?
  3. Not unless you port the 'erase' command to privilege 0.
  4. My question was hypothetical. What if we have an external flash and we just remove it from the router (and there is nothing on the system's flash/bootdisk)
  5. I tested it. If "no service password-recovery" is active then router complain on the console inability to load IOS after then it reload itself. So removing flash isn't a way to recover.
  6. No break key on my Macbook, so here's an option that I have verified works. (I gather it won't work if no service password-recovery is enabled though)

    Complete these steps to simulate a break key sequence:

    1.

    Connect to the router with these terminal settings:

    1200 baud rate

    No parity

    8 data bits

    1 stop bit

    No flow control

    You no longer see any output on your screen, and this is normal.
    2.

    Power cycle (switch off and then on) the router and press the SPACEBAR for 10-15 seconds in order to generate a signal similar to the break sequence.
    3.

    Disconnect your terminal, and reconnect with a 9600 baud rate. You enter the ROM Monitor mode.
  7. The no service password-recovery still lets a 5-seconds interval for pressing the Break key...
  8. @Laszlo: if you believe that, you might experience a nasty surprise. I've already documented some problems with disabled password recovery.
  9. If all else fails, the 850/870 series have a cheap Intel flash soldered, and pin 15 to GND trick from the mighty WRT54G works here too. It will corrupt flash contents allowing you to go into ROMMON.
  10. Tried this and it has not worked for me on a Cisco 877. The flash module is out and in my hand, and the console output still says "PASSWORD RECOVERY FUNCTIONALITY IS DISABLED"

Add comment
Sidebar