Password recovery

Answered Question

I bought a 1841 Router on e-bay.

Apparently, it has been configured with "no service password-recovery". The console shows: PASSWORD RECOVERY FUNCTIONALITY IS DISABLED, and it does not respond to Ctrl-Break during boot. AFAIK, this router does not have a removable NVRAM chip - so this method of reset is excluded. Is my only option to RMA it?


TIA, /Luis

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
kyawzawhtut Thu, 03/15/2007 - 18:32
User Badges:

I believe you still can go back to factory default without needing RMA.


Press the break-key winthin 5sec after decompress the image. System will prompt you to confirm and after that it will delete the start-up config and back to factory default.


Check this url for different combination of break-key that you can try.


http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a0080174a34.shtml


HTH


Plz rate if helpful.


Cheers

Kyaw

sundar.palaniappan Thu, 03/15/2007 - 20:22
User Badges:
  • Green, 3000 points or more

Luis,


I believe your understanding is correct. I don't think you can break in when password recovery is disabled in the router.


Actually, if I remember correct the IOS even produces a warning when configuring the no service password recovery command that if the password is lost then RMA will be your only option.


HTH


Sundar

Well, here the steps taken so far:

- About 20 reboots with console cable connected. I have hit Ctrl-Break at every thinkable point, after 5 secs. after boot, when "Image text-base:" appears, etcetc.


- I cross-checked with another 831 I have around to see if the Ctrl-break works there: It does.


- I have taken the Button-Cell battery out of the 1841 for at least 20 minutes, hoping that this would erase the config. I'm not sure what this battery is for, because this had no effect whatsoever.


My assumption was: That it would be possible to use the Ctrl-Break procedure and to expect a "Do you want to reset the router to factory default configuration and proceed [y/n] ?" prompt, but I don't get to that prompt. There is a bit of conflicting documentation out there.


Cheers, /Luis


sundar.palaniappan Thu, 03/15/2007 - 21:04
User Badges:
  • Green, 3000 points or more

Luis,


Actually, it appears you should be able to reset the router to the factory default settings when password recovery is disabled. You should be able to break in within 5 seconds after the image decompresses during the boot.


Follow the steps in this document to see if it helps.


http://cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00802a1e76.html


HTH


Sundar

kyawzawhtut Thu, 03/15/2007 - 21:09
User Badges:

Luis


I suggest you try the different combination of break key which I gave u in previous post.


May be it is different break-key under no password recovery situation. Who know?


HTH


Cheers

Kyaw

kyawzawhtut Mon, 03/19/2007 - 00:55
User Badges:

Hi Luis


Do you manage to recover the password? Please update so that we can learn new thing from your experience.


Cheers!


Kyaw

mohammedmahmoud Mon, 03/19/2007 - 03:10
User Badges:
  • Green, 3000 points or more

Hi Luis,


As clarified by Sundar, and according to Cisco's website:


No Service Password-Recovery:


Disable password recovery feature provides the ability to disable the password recovery process. With this feature enabled, a hacker with physical access to the router cannot enter the ROMMON and ignore the startup config. For genuine users who have forgotten the password and want to recover the router on which this feature is already enabled, an enhancement to this feature has been made which makes the router to accept the break signal within 5 seconds after rebooting. The user now has the option to boot the router with factory default config.


I'll try to test it for you in lab ASAP.


HTH,

Mohammed Mahmoud.

I have been through 25-30 reboots, following the different recommendations where some say to hit Ctrl-Break when when "Image text-base:" appears, other after 5 seconds into boot etcetc.

I have even tried another terminal program, but the fact that sending a Ctrl-Break to another router (for comparison) works on the first attempt, shows that the Terminal proggie indeed is sending a Break.

I would call this the end of the line, and unless some revolutionary new method turns up, this one will be sent for service.


Cheers, /Luis

Leo Laohoo Fri, 11/27/2009 - 13:52
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Chris,
Please avoid making multiple post of the same topic.  I'm responding to your main post.

Hi Christopher,


My original post is more than 2 years old, but the issue was never resolved.

I had sent the router to a company in the US that claimed they could do it, and it came back stone dead. (No LED indicators, no RS232 response anymore).

Either they repaired it to death, or just swapped the mainboard with a DUD.

I had not recorded the mainboard serial number before sending it off, (My bad) so I had no leverage.


Before sending it for "so-called repair" I have tried loading it with older versions of the IOS, and I tried several low-level hardware things like resetting the ROM chip during boot trying to cause an unspecfied error (Kernel panic) and to get the router to reveal something or to get into rommon mode. I don't have enough low-level hardware knowledge, but I can identify the reset-pin on a given chip and try all kind of blind and non-destructive things.


Bottom line: That $500 piece of equipment wound up on the shelf, waiting to be used as spare-part repository. The fan is good, the power supply is good. I have a hard time to write off equipment because of a lost password, but that was the end of the story.

Leo Laohoo Fri, 11/27/2009 - 21:03
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Oh for goodness sake.


Here's the link:


http://www.heinzulm.com/password.php


I've successfully used this process and added a last item on my list:  Kill the idi0t who disabled the password recovery.

Peter Paluch Fri, 11/27/2009 - 14:06
User Badges:
  • Cisco Employee,

Hello,


A friend of mine has once told me that he had a similar problem. His 1841 was running IOS c1841-advipservicesk9-mz.123-8.T11.bin and he had configured the no service password-recovery. He was unpleasantly surprised to meet the same troubles as you - while hitting the Ctrl+Break key several times during the boot process, the router just ignored him.


Eventually, the solution he found was trivial. He took out the Compact Flash card and replaced the old IOS on it with a new one on a different router. Then he booted the 1841 with the new IOS and managed to get the Ctrl+Break key working as expected (the router will erase the configuration instead of ignoring it). The IOS he was successful with was the c1841-advipservicesk9-mz.124-20.T.bin and I assume that it will work also with more recent IOSes.


Give it a try.


Best regards,

Peter

By the way - while digging in old posts, some sentences made me wonder:


First:

>>>>

With this feature enabled, a hacker with physical access to the router cannot enter the ROMMON and ignore the startup config.

<<<<


A hacker with physical access is usually not a hacker but a thief or an intruder on the premises. Hackers work remotely - usually, generally.


Second:

>>>>

For genuine users who have forgotten the password and want to recover the router on which this feature is already enabled, an enhancement to this feature has been made which makes the router to accept the break signal within 5 seconds after rebooting. The user now has the option to boot the router with factory default config.

<<<<


In THAT case, what is the difference between a hacker with physical access and a genuine user with physical access who has just forgotten the password? (Both can carry a laptop with a RS232 port and a cable, not?)


Sure you may be quoting contents in your post, but still the lack of distinction between hacker and legitimate user in this scenario is striking.

Yahooo!!!


I put the following image on the compact flash


c1841-advipservicesk9-mz.124-20.T.bin


I then power cycled the router and entered the break sequence after the image had decompressed #####[ok]  ( I also pressed it a couple of times a few seconds after.


System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c1841 platform with 131072 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled


Readonly ROMMON initialized
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80

program load complete, entry point: 0x8000f000, size: 0x235aa60
Self decompressing the image : #################################################
################################################################################
####################################################### [OK]

Smart Init is enabled
smart init is sizing iomem
  ID            MEMORY_REQ         TYPE
                0X003AA110 public buffer pools
                0X00211000 public particle pools
                0X00020000 Crypto module pools
                0X000021B8 Onboard USB

If any of the above Memory Requirements are
"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.

Allocating additional 2785644 bytes to IO Memory.
PMem allocated: 122683392 bytes; IOMem allocated: 11534336 bytes

              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

           cisco Systems, Inc.
           170 West Tasman Drive
           San Jose, California 95134-1706


Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(20)T,
RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:28 by prod_rel_team


PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to factory default
configuration and proceed [y/n] ?
Reset router configuration to factory default.

Actions

This Discussion