IOS release 12.3T (and 12.4) introduced a great security feature: the ability to disable password recovery (using the well-known break key sequence) with the no service password-recovery global configuration command. However, once you configure this feature on some routers, you might have no means whatsoever to get it under control if you forget the password.
The IOS documentation states that you should be able to erase NVRAM (thus losing the config, but protecting the password integrity) if you press the break key a few seconds after the Image text-base: 0x........, data-base: 0x........ message appears. Unfortunately, that does not work on the router I've been doing my tests on (2811 with c2800nm-advipservicesk9-mz.124-6.T.bin and ROMMON Version 12.4(1r)). There was simply no way to erase NVRAM, so the router would remain locked up if I had really forgotten the enable password.
Note: After my tests, I was told that pressing the break key as soon as the router is powered up might work.
Moral of the story: test whether you can recover the router with your particular combination of IOS/ROMMON versions before disabling password recovery (and forgetting the password).
Posts
Hello, Ivan!
ReplyDeleteI have also tried recently (last week) to delete the startup-config from a Cisco 837 router who had the "no service password-recovery" feature activated, but there was no way whatsoever to send BREAK to the poor thing.
Unfortunately the NVRAM is emulated in flash memory (onboard, ofcourse) so i couldn't erase it.
I have also tried setting a jumper on all possible positions on the 10 motherboard pair of pins but it still loaded the startup-config from the NVRAM :)
Regards,
I assumed you opened a service request with Cisco for that issue, right Ivan ? :)
ReplyDeleteInteresting. I have some devices that should support the "no service password-recovery" functionality. I'll give it a try and report back the results.
@Bluedemon: Absolutely :*) Come on ...
ReplyDeleteI am too scare to try...it's because I don't have a spare router to lose in case I screw up.
ReplyDelete:^)
the bug (break being ignored after IOS is booted) seems to manifest because IOS checks for the break only in the first 5 seconds when the IOS is initialized.
ReplyDeleteit seems that this process (ios init) takes more than 5 seconds on some platforms/images (roughly 6 seconds on 837 ;-) and the break arrives too late.
the cisco workaround was to increase this interval to 10 seconds in newer images.
i guess you just need to RMA the affected router, if you have no access to enable...
This is something that I ran into with a router I bough on ebay ... I solved my issue by removing the NVRAM chip from the router which forces it to boot in ROM MON, then changed the confreg, then put the NVRAM chip back in, and not only did I have a password recovery, I was able to pull the entire config from the previous Co-Lo that was on the router.
ReplyDeleteIvan, have you got any useful answer from Cisco TAC?
ReplyDeleteI haven't opened a case (the whole TAC thread was a joke ;). In my case, it would have been a theoretical question (I didn't have a locked-up router) and I would not want to waste TAC engineers' time, I guess there are plenty of other people doing that already.
ReplyDeleteHi Ivan,
ReplyDeleteActually we has this feature in our routers long before 12.3 or 12.4 it was simply a 'hidden' command. In fact it date's back to before 11.2 code ;-) ... email me a show tech so that I can emulate is the hardware....btw...here's an old 2620 with 12.0(7) with the feature enable from a write-up I did back in 2001:
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-JO3S56I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Tue 07-Dec-99 07:11 by phanguye
Image text-base: 0x80008088, data-base: 0x8107A5D0
PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to factory default configuration and proceed [y/n] ? y
Reset router configuration to factory default.
I have a Cisco 1841 and nothing I can do will reset the password.
ReplyDeleteAll the breaks in the world, right after the image loads, before it every other time you can imagine.
I am going down two avenues:
1. Find out which chip on the mother board is the NVRAM and physically unsolder it.
2. Write my own IOS that when loaded erases the NVRAM.
Both options will probably result in the box being a doorstop for the rest of eternity :-)
There's a procedure used to "unbrick" some Linksys routers running Linux.
ReplyDeleteIt involves shorting a couple of pins of the onboard flash, rendering it unusable. The router can then be accessed via its recovery mechanism.
I wonder if something similar couldn't be tried here? Ground a pin that's critical for reading NVRAM?
Obviously there is some risk, but if you're starting with an unusable router anyway...
And it's certainly preferable to unsoldering!
The Linksys procedure can be found by googling: wrt "pin 15 and 16"
i have 1 2811 router i forgeted my password.it show error "password recovery functionality is disabled"please tell me how to rectify this error
ReplyDeleteOk guy... This is a old old post but my friend is google and it told me that the friend of is friend of is friend... that is cisco I think??? told that since some age... " http://www.ict-partner.net/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html "... I don't know but that work...
ReplyDeleteThe point of the post is quite simple: Sometimes specific ROMMON versions do not work as described by Cisco's documentation, so it's best to check whether the recovery really works before disabling password recovery and forgetting the password ;)
ReplyDeletehttp://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html#wp1062060
ReplyDeletethis works
i had this issue with an 1841, and i couldn't seem to time the Break correctly, so it wasn't give me the option to clear the config.
ReplyDeleteSo i alternately pressed <break>, then <ctrl-break> every second, as soon as the router powered on.
Crude, but it worked.</ctrl-break></break>
thank SD!!! pressed ctrl+break every second and working
ReplyDeleteCTRL+BREAK worked on my 887 router, just needed to be very quick, was only 1-2second time window after boot to send the command. THANKS!
ReplyDeleteIf you are using a USB->serial adapter and can't get a break to work, more than likely the adapter is not sending it correctly. I spend over an hour trying it with one adapter and failing, changed to another brand's adapter and it worked first try.
ReplyDeletectrl-break worked for me on a 1721, answer yes then no then reboot. You should be able to get into rommon like normal.
ReplyDeleteI think you need ctrl-break depending on your serial port/console client setup.
Also, it did not erase the config. I was able to see the old config, that the previous owner left on the device. You should always erase the nvram before excessing as this command does not really secure it.
DeleteI had a similar problem with a Cisco 1803 today. It had IOS 12.3 on it. There was no way to get into ROMMON-mode (break did not work). I started it with another flash card with IOS 15.1 for 1800-series on it. The nvram was apparently unreadable for this IOS version, so it "reformatted" it for me. Booting again with the original flash-card showed me that the NVRAM was indeed reset to empty, and I rescued my eBay bargain... ;-)
ReplyDelete