In this How To we will reveal how to bypass the system password on Cisco IOS routers. This procedure is used regularly by CellStream consultants.
As you will see, we are changing the configuration register to alter the boot process to exclude the configuration files that the router has, as within those configuration files is the password setting. If you want to know details on the configuration register look here.
Older Versions of IOS
For older versions of IOS and router platforms use the following procedure:
Step 1: Connect via serial cable to the console port of the router
Step 2: Power Cycle the router
During the boot process hit <Ctrl><Break>
Should get the rommon 1> prompt
Step 3: Enter the following commands – make sure you use the xact capitalization as shown (do not enter anything with the {} comments):
rommon 1> o
rommon 2> o/r 0x2142 {reseting the config register}
rommon 3> I {for initialize}
Step 4: After the reload, return the router to normal boot sequence
Router> enable
Router# configure terminal
Router(config)# config-register 0x2102
Now you can do what you need to do to return the system to its original configuration minus the unknown password, or begin configuring the system.
Newer Versions of IOS
On newer versions of IOS, a configure register utility is built into ROMMON. So first follow steps 1 and 2 above to get the Rommon> prompt.
You can check to see what is available at the Rommon prompt with a “?”:
rommon 1 > ?
alias set and display aliases command
boot boot up an external process
break set/show/clear the breakpoint
confreg configuration register utility <===!!!
cont continue executing a downloaded image
context display the context of a loaded image
cookie display contents of motherboard cookie PROM in hex
dev list the device table
dir list files in file system
dis disassemble instruction stream
dnld serial download a program module
frame print out a selected stack frame
gioshow show the gio version
help monitor builtin command help
history monitor command history
iomemset set IO memory percent
meminfo main memory information
repeat repeat a monitor command
reset system reset
rommon-pref Select ROMMON
set display the monitor variables
showmon display currently selected ROM monitor
stack produce a stack trace
sync write monitor environment to NVRAM
sysret print out info from last system return
tftpdnld tftp image download
unalias unset an alias
unset unset a monitor variable
xmodem x/ymodem image download
Begin by selecting the confreg (configure register) utility:
rommon 2 > confreg
Configuration Summary
(Virtual Configuration Register: 0x2102) <–Note: register setting
enabled are:
load rom after netboot fails
ignore system config info
console baud: 9600
boot: image specified by the boot system commands
or default to: cisco2-c1841
do you wish to change the configuration? y/n [n]: y
enable “diagnostic mode”? y/n [n]: n
enable “use net in IP bcast address”? y/n [n]: n
disable “load rom after netboot fails”? y/n [n]: n
enable “use all zero broadcast”? y/n [n]: n
enable “break/abort has effect”? y/n [n]: n
enable “ignore system config info”? y/n [n]: y <—-here is where we made the change
change console baud rate? y/n [n]: n
change the boot characteristics? y/n [n]: n
Configuration Summary
(Virtual Configuration Register: 0x2142) <—note change to the register
enabled are:
load rom after netboot fails
console baud: 9600
boot: image specified by the boot system commands
or default to: cisco2-c1841
do you wish to change the configuration? y/n [n]: n
You must reset or power cycle for new config to take effect
Now boot the device and the startup.cfg and any password is bypassed.
rommon 3 > boot
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xf7e3e4
Self decompressing the image : ############################################################################## [OK]
Smart Init is enabled
smart init is sizing iomem
ID MEMORY_REQ TYPE
0X003AA110 public buffer pools
0X00211000 public particle pools
0X000021B8 Onboard USB
If any of the above Memory Requirements are
“UNKNOWN”, you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Allocating additional 7694584 bytes to IO Memory.
PMem allocated: 117440512 bytes; IOMem allocated: 16777216 bytes
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software – Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(6)T8, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 25-Jul-07 15:18 by khuie
Image text-base: 0x6008BDC4, data-base: 0x616087C0
Cisco 1841 (revision 7.0) with 114688K/16384K bytes of memory.
Processor board ID FTX1135W238
2 FastEthernet interfaces
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
— System Configuration Dialog —
Would you like to enter the initial configuration dialog? [yes/no]: no
OK – we hope that helps you if you have a system where the password either appears incorrect or you do not know it.