Cisco Networking: Recovering a Device with a Lost Password
You may have an old Cisco router or switch on your storage shelf that you cannot use because you do not have the enable password for it. Well, with your trusty Cisco rollover cable, you can use ROMmon to recover the password. Recovering the password may differ slightly based on your device, but most devices use the process described here to tweak the configuration register.
If you have a running device of the same type (same model, such as a 2900 Series Router), you can run show version to find out what the default configuration register value is set to. In most cases, the register is set to 0x2102, but what does that mean ?
Several settings can be stored in the configuration register, and they are totaled into a single value. So all the 16-bit values are added together to give you the value that is stored in the register. In the following bullets, is a brief summary of the main values to worry about.
The lowest four bits control the boot settings:
Boot field equals 0000: Do not load a system image; enter into ROMmon mode. This allows you to manually load an image to boot.
Boot field equals 0001: Load the first valid image in Flash.
Boot field between 0010 and 1111: Load the image specified in the boot command in the configuration file stored in NVRAM; if this is not possible, stay in ROMmon.
In addition to the boot values, other values that are of interest include
Bit 6 (0x0040): Clear the NVRAM contents, this value will be the value to use to clear the existing enable password. Clear the entire contents of NVRAM.
Bit 8 (0x0100): Disable the break command.
Bit 13 (0x2000): Boot the IOS image on Flash if network boot fails or is not used.
You can use the show version command to find out what your configuration register is set to. So if the default register value is 0x2102 (Boot Flash IOS if no network boot, disable Break after system is running, and load items listed in boot configuration), change it to 0x2142 (Boot Flash IOS if no network boot, clear NVRAM, disable Break after system is running, and load items listed in boot configuration).
To perform password recovery, follow this process and reload your router. Then break into ROMmon by pressing the Break key or Ctrl+C within 60 seconds of restarting the device:
System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1) Copyright (c) 2003 by cisco Systems, Inc. PC = 0xfff0ac3c, Vector = 0x500, SP = 0x680127d0 PC = 0xfff0ac3c, Vector = 0x500, SP = 0x680127c0 C2600 platform with 131072 Kbytes of main memory PC = 0xfff0ac3c, Vector = 0x500, SP = 0x80004884 monitor: command "boot" aborted due to user interrupt rommon 1 > confreg 0x2142 rommon 2 > reset
After the reset, you are asked to go through the setup process again. Answer “no” to these requests and then follow this process.
Router>enable Router#copy startup-config running-config Router1#show running-config Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#enable secret <password> Router1(config)#config-register 0x2102 Router1(config)#exit Router1# *Mar 1 10:49:38.095: %SYS-5-CONFIG_I: Configured from console by console Router1#copy running-config startup-config Building configuration... [OK] Router1#reload Proceed with reload? [confirm] *Mar 1 10:51:27.247: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload command.
Because you have changed the configuration register from the configuration screen, you do not need to enter ROMmon to change back. It is not uncommon for this step to be forgotten, so each time you boot the device, you continually enter Setup mode.
Do not worry; if you still have a valid startup-config file in NVRAM, follow the immediately preceding code to the end. If you do not have the startup-config file, run setup to restore your settings and change the config-register value.