Password Recovery Techniques... part 1

Introduction
This post will explain several password recovery techniques for Cisco
routers. You can perform password recovery on most of the platforms without
changing hardware jumpers, but all platforms require the router to be
reloaded. Password recovery can only be done from the console port
physically attached to the router.
There are three ways to restore enable access to a router when the password
is lost. You can VIEW the password, CHANGE the password, or ERASE the
configuration and start over as if the box was new.
Each procedure follows these basic steps:
1. Configure the er to boot up without reading the configuration
memory (NVRAM). This is sometimes called the test system mode.
2. Reboot the system.
3. Access enable mode (which can be done without a password if you are in
test system mode).
4. VIEW or CHANGE the password, or ERASE the configuration.
5. Reconfigure the router to boot up and read the NVRAM as it normally
does.
6. Reboot the system.
NOTE: Some password recovery requires that a terminal issues a
Break signal; you must be familiar with how your terminal or PC
terminal emulator issues this signal. For example, in ProComm,
the keys Alt-B will by default generate the Break signal, and in
Windows Terminal you press Break or CTRL-Break. Windows Terminal
also allows you to define a function key as BREAK. From the
terminal window, select Function Keys and define one as break by
filling in the characters ^$B (Shift 6 , Shift 4, and Capital B).
The following six sections contain detailed instructions for specific Cisco
routers. Locate your router in the section headings to determine which
technique to use.
Technique #1
All Cisco 2000 Series, 2500 Series, 3000 Series, 680 x0 - Based 4000 Series,
7000 Series Running 10.0 or Later in ROMs, IGS Series Running 9.1 or Later
in ROMs
This technique can be used on the 7000 and 7010 only if the router has 10.0
ROMs installed on the RP card. It may be booting Flash 10.0 software, but
it needs the actual ROMs on the processor card as well.
1. Attach a terminal or PC with terminal emulation to the console port of
the router.
2. Type "show version" and record the setting of the configuration
register. It is usually 0 x2102 or 0 x102.
3. Power the router down, then up.
4 . Press the Break key on the terminal within 60 seconds of the power up.
You will see the > prompt with no router name. If you don't, the
terminal is not sending the correct Break signal. In that case, check
the terminal or terminal emulation setup.
5 . Type "o/r0 x42 " at the > prompt to boot from Flash or "o/r 0 x41" to
boot from the boot ROMs. Note that this is the letter "o," not the
numeral zero. If you have Flash and it is intact, 0 x42 is the best
setting. Use 0 x41 only if the Flash is erased or not installed.
NOTE: If you use 0 x41, you can only view or erase the
configuration. You cannot change the password.
6. Type "i" at the > prompt. The router will reboot but will ignore its
saved configuration.
7. Answer "no" to all the setup questions.
8. Type "enable" at the "Router>" prompt. You'll be in enable mode and
see the "Router#" prompt.
9. Choose one of these three options:
o To VIEW the password type "show config."
o To CHANGE the password (in case it is encrypted, for example):
a. Type "config mem" to copy the NVRAM into memory.
b. Type "config term" and make the changes to the configuration.
conf t
enable password password
ctrl-z
c. Type "write mem" to commit the changes.
o To ERASE the config, type "write erase.
10. Type "config term" at the prompt.
11 . Type "config-register 0 x2102," or whatever value you recorded in step
2.
12. Hit Ctrl-Z to quit from editor.
13. Type "reload" at the prompt. You do not need to write memory.
Technique #2
Cisco 1003 , 4500, or IDT Orion- Based Routers
1. Attach a terminal or PC with terminal emulation to the console port of
the router.
2. Type "show version" and record the setting of the configuration
register. It is usually 0 x2102 or 0 x102.
3. Power the router down, then up.
4 . Press the Break key on the terminal within 60 seconds of the power up.
You will see the "rommon>" prompt. If you don't, the terminal is not
sending the correct Break signal. In that case, check the terminal or
terminal emulation setup.
5. Type "confreg" at the "rommon>" prompt.
6. Answer "y" to the "Do you wish to change configuration[y/n]?" prompt.
7. Answer "n" to all of the questions that appear until you reach the
"ignore system config info[y/n]?" prompt. Answer "y."
8. Answer "n" to the remaining questions until you reach the "change boot
characteristics[y/n]?" prompt. Answer "y."
9 . At the "enter to boot:" prompt, type "2" followed by a carriage
return. If Flash is erased, type "1 ." If all Flash is erased, the 4500
must be returned to Cisco for service.
NOTE: If you use "1," you can only view or erase the
configuration. You cannot change the password.
10. A configuration summary is printed. Answer "n" to the "Do you wish to
change configuration[y/n]?" prompt.
11 . Type "reset" at the "rommon>" prompt, or power cycle your 4500 or
7500.
12. Once it boots up, answer "no" to all the Setup questions.
13. Type "enable" at the "Router>" prompt. You'll be in enable mode and
see the "Router#" prompt.
Read Part 2 to continue...