Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

9 module online course

Start now!
back to overview

Last-resort password recovery

Pappyar has sent me an interesting password recovery technique, which can be used in those weird circumstances when you cannot force the router to go to ROMMON (for example, you’ve configured no service password-recovery and the break signal does not work as expected). Unfortunately, his trick works only if you can remove the flash memory from the router (it’s soldered in low-end models):

  1. Turn off the router.
  2. Take out the flash.
  3. Turn on the router.
  4. This time router will take you to ROMMON as it cannot find an IOS image.
  5. Set the configuration register with confreg 0x2142.
  6. Reset (this will change the stored value of the configuration register).
  7. Turn off the router.
  8. Reinsert the flash.
  9. Turn on the router and you are done.

Related posts by categories

Please read our Blog Commenting Policy before writing a comment.

10 comments:

  1. Danail Petrov18 March, 2009 15:27

    What if we just delete the IOS from the flash? Doesn't it work in this way?

    ReplyDelete
  2. Ivan Pepelnjak18 March, 2009 18:38

    Can you delete IOS from flash if you don't have enable password?

    ReplyDelete
  3. Anonymous19 March, 2009 00:53

    Not unless you port the 'erase' command to privilege 0.

    ReplyDelete
  4. Danail Petrov19 March, 2009 15:32

    My question was hypothetical. What if we have an external flash and we just remove it from the router (and there is nothing on the system's flash/bootdisk)

    ReplyDelete
  5. Anonymous19 March, 2009 20:14

    I tested it. If "no service password-recovery" is active then router complain on the console inability to load IOS after then it reload itself. So removing flash isn't a way to recover.

    ReplyDelete
  6. Nathan25 March, 2009 12:10

    No break key on my Macbook, so here's an option that I have verified works. (I gather it won't work if no service password-recovery is enabled though)

    Complete these steps to simulate a break key sequence:

    1.

    Connect to the router with these terminal settings:

    1200 baud rate

    No parity

    8 data bits

    1 stop bit

    No flow control

    You no longer see any output on your screen, and this is normal.
    2.

    Power cycle (switch off and then on) the router and press the SPACEBAR for 10-15 seconds in order to generate a signal similar to the break sequence.
    3.

    Disconnect your terminal, and reconnect with a 9600 baud rate. You enter the ROM Monitor mode.

    ReplyDelete
  7. Laszlo20 April, 2009 12:09

    The no service password-recovery still lets a 5-seconds interval for pressing the Break key...

    ReplyDelete
  8. Ivan Pepelnjak20 April, 2009 16:27

    @Laszlo: if you believe that, you might experience a nasty surprise. I've already documented some problems with disabled password recovery.

    ReplyDelete
  9. Anonymous05 May, 2009 01:55

    If all else fails, the 850/870 series have a cheap Intel flash soldered, and pin 15 to GND trick from the mighty WRT54G works here too. It will corrupt flash contents allowing you to go into ROMMON.

    ReplyDelete
  10. Anonymous02 June, 2013 09:39

    Tried this and it has not worked for me on a Cisco 877. The flash module is out and in my hand, and the console output still says "PASSWORD RECOVERY FUNCTIONALITY IS DISABLED"

    ReplyDelete

Constructive courteous comments are most welcome. Anonymous trolling will be removed with prejudice.

Home
Sidebar