Password Recovery

Several additional concepts related to loading the IOS must be understood before password recovery can be performed. First, software called the ROM monitor (rommon) is held in ROM on all routers and actually provides the code that is first used to boot each router. rommon has a rudimentary command structure that is used as part of the password recovery process. A limited-function IOS is also held in either ROM or in additional Flash memory called bootflash; in either case, the IOS in bootflash or ROM is used mainly in cases where the IOS in flash is not available for some reason. Finally, bit 6 of the configuration register set to binary 1 means that the router should ignore the NVRAM configuration when booting.

Password recovery revolves around the process of getting the router to boot while ignoring the NVRAM configuration file. The router will be up, but with a default configuration; this enables a console user to log in, enter privileged mode, and change any encrypted passwords or view any unencrypted passwords. To cause the router to ignore NVRAM at boot time, the configuration register must be changed. To do that, you must be in privileged modeā€”and if you were already there, you could reset any encrypted passwords or view any unencrypted ones. It seems to be a viscious circle.

The two keys to password recovery are knowing that rommon enables you to reset the configuration register and that a console user can get into rommon mode by pressing the Break key during the first 60 seconds after power-on of the router. Knowing how to reset the config register enables you to boot the router (ignoring NVRAM), allowing the console user to see or change the unencrypted or encrypted passwords, respectively.

The process is slightly different for different models of routers, although the concepts are identical. Table 2-7 outlines the process for each type of router.

Table 2-7 Password Recovery



How to Do This for 1600, 2600, 3600, 4500, 7200, 7500

How to Do This for 2000, 2500, 3000, 4000, 7000


Turn router off and then back on again.

Use the power switch.

Same as other routers.


Press the Break key within the first 60 seconds.

Find the Break key on your console devices keyboard.

Same as other routers.


Change the configuration register so that bit 6 is 1.

Use the rommon command confreg, and answer the prompts.

Use the rommon command o/r 0x2142.


Cause the router to load an IOS.

Use the rommon reload command or, if unavailable, power off and on.

Use rommon command initialize.


Avoid using setup mode, which will be prompted for at console.

Just say no.

Same as other routers.

Table 2-7 Password Recovery (Continued)



How to Do This for 1600, 2600, 3600, 4500, 7200, 7500

How to Do This for 2000, 2500, 3000, 4000, 7000


Enter privileged mode at console.

Press Enter and use enable command (no password required).

Same as other routers.


View startup config to see unencrypted passwords.

Use exec command show startup-config.

Same as other routers.


Use appropriate config commands to reset encrypted commands.

For example, use enable secret xyz123 command to set enable secret password.

Same as other routers.


Change config register back to original value.

Use config command Config-reg 0x2102.

Same as other routers.


Reload the router after saving the configuration.

Use the copy running-config startup-config and reload commands.

Same as other routers.

A few nuances need further explanation. First, the confreg rommon command prompts you with questions that correspond to the functions of the bits in the configuration register. When the prompt asks, "Ignore system config info[y/n]?", it is asking you about bit 6. Entering yes sets the bit to 1. The rest of the questions can be defaulted. The last confreg question asks, "Change boot characteristics[y/n]?", which asks whether you want to change the boot field of the config register. You don't really need to change it, but the published password recovery algorithm lists that step, which is the only reason that it is mentioned here. Just changing bit 6 to 1 is enough to get the router booted and you into privileged mode to find or change the passwords.

The original configuration is lost through this process, but you can overcome that. When you save the configuration in Step 10, you are overwriting the config in NVRAM. There was no configuration in the running config except default and the few things you configured. So, before Step 8, you might want to perform a copy startup-config running-config command and then proceed with the process.

0 0

Post a comment