back to overview
Last-resort password recovery
Pappyar has sent me an interesting password recovery technique, which can be used in those weird circumstances when you cannot force the router to go to ROMMON (for example, you’ve configured no service password-recovery and the break signal does not work as expected). Unfortunately, his trick works only if you can remove the flash memory from the router (it’s soldered in low-end models):
- Turn off the router.
- Take out the flash.
- Turn on the router.
- This time router will take you to ROMMON as it cannot find an IOS image.
- Set the configuration register with confreg 0x2142.
- Reset (this will change the stored value of the configuration register).
- Turn off the router.
- Reinsert the flash.
- Turn on the router and you are done.
Related posts by categories
Please read our Blog Commenting Policy before writing a comment.
10 comments:
What if we just delete the IOS from the flash? Doesn't it work in this way?
ReplyDeleteCan you delete IOS from flash if you don't have enable password?
ReplyDeleteNot unless you port the 'erase' command to privilege 0.
ReplyDeleteMy question was hypothetical. What if we have an external flash and we just remove it from the router (and there is nothing on the system's flash/bootdisk)
ReplyDeleteI tested it. If "no service password-recovery" is active then router complain on the console inability to load IOS after then it reload itself. So removing flash isn't a way to recover.
ReplyDeleteNo break key on my Macbook, so here's an option that I have verified works. (I gather it won't work if no service password-recovery is enabled though)
ReplyDeleteComplete these steps to simulate a break key sequence:
1.
Connect to the router with these terminal settings:
1200 baud rate
No parity
8 data bits
1 stop bit
No flow control
You no longer see any output on your screen, and this is normal.
2.
Power cycle (switch off and then on) the router and press the SPACEBAR for 10-15 seconds in order to generate a signal similar to the break sequence.
3.
Disconnect your terminal, and reconnect with a 9600 baud rate. You enter the ROM Monitor mode.
The no service password-recovery still lets a 5-seconds interval for pressing the Break key...
ReplyDelete@Laszlo: if you believe that, you might experience a nasty surprise. I've already documented some problems with disabled password recovery.
ReplyDeleteIf all else fails, the 850/870 series have a cheap Intel flash soldered, and pin 15 to GND trick from the mighty WRT54G works here too. It will corrupt flash contents allowing you to go into ROMMON.
ReplyDeleteTried this and it has not worked for me on a Cisco 877. The flash module is out and in my hand, and the console output still says "PASSWORD RECOVERY FUNCTIONALITY IS DISABLED"
ReplyDelete