cisco 857 password recovery

this is a post re. the recovery of an 857 router during an IOS update.

the system has been previously configured with the 'no service password-recovery',

the IOS image has been removed from flash, prior to upgrade. However we are now unable to enter 'rommon' mode to download new ios image in the normal manner.

i have found technotes on this, that seem to indicate that even with this enabled, we can do ctrl-break when it loads the IOS image to enter rommon.

however we do not get to this point on account of no ios image, such that the router continually recycles.

the capability of the 'reset' button seems also to have been disabled (i can't be sure whether this is on account of the password-recovery configuration).

would be v.glad of the workaround to this - seem this would relate to a reset somehow of the config-register to its factory default. Thanks

Reply to
Loading thread data ...

Well according to this document -

formatting link
the router is dead.

no service password-recovery disables access to the rommon prompt. No recovery requiring rommon can be accomplished.

You will need a second router in which to temporarily install the flash module. I would imagine that any 850 series router will suffice.

Reply to

Thanks for note back.

re flash memory - how does that work ? is the onboard flash removable, or do you suggest to add additonal flash memory, somehow causing the router to reset ?

Reply to
Graham Turner

No, you need a second working router and you will have to remove the flash from it and put the flash from the broken router into the good one and put an IOS image on the 'broken' flash.

The onboard flash is a memory stick. I forget the exact technology. SIMM, DIMM thingy. There will probably be two, RAM and FLASH. If you have ever removed a memory stick from a PC you will have no trouble.

The FLASH chip contains the software image and maybe other files. You can recover an image on to the flash by putting it in another router and downloading an image.

Once you get an image in the router you can then follow the instructions on the page previousy pointed at.

Try this one first - "Another method is to reload or boot the router with console access"

Reply to

Thanks further note back. not sure if i am being daft, but does not appear to be any removable mem modules on the 857 we have.

there are 3 empty 'slots' - one DIMM like, and two slots of the types that i have installed vpn modules in - dont know if that makes sense ?

Although we have been remiss in removing the flash contents with the 'service password recovery disabled' i can't believe that there is not some hardware reset, presumably if we could get back to the default config-register that does not have the bit set that disables 'break' ?

Reply to
Graham Turner

The 857 doesn't have removable Flash like most other Cisco routers (including the 877 which does).

Since the flash is soldered onto the board, you can't do the trick around it that he was trying to explain.

The point of the 'no service password recovery' was to lock the box out of all physical attacks for service providers that wanted to make sure their subscribers couldn't get back in and do their own configs.

Its even half-way tame now-a-days compared to what it was when it was a fully undocumented command, where you didn't have any config-erase type option that loading the IOS gives you now.

But, sorry to say, the only way out of this would be to in-circuit reprogram the flash chip where the NVRAM/config is stored if that is even possible.

Or put Smartnet on it, and have it advanced replaced by Cisco TAC. Probably won't be the first time they've had to.

Reply to
Doug McIntyre

Doug, thanks for note back.

do i have it right then that the 'no service password-recovery' disables the capability of the hardware reset button ?

we are not interested in anything on the router,

Reply to
Graham Turner

Sorry. I had the idea that the 877 was removable but I did not know about the 850. We mostly used 870's.

It's not like cisco to have something which cannot be recovered. Very, very unusual.

I am not sure what the slots are for but I would guess extra RAM and Flash.

formatting link
Cisco 851 and 857 routers Flash Memory Card Options 4 MB, 16 MB, or 32 MB Default Flash Memory 20 MB (onboard flash memory only) Maximum Flash Memory 20 MB

This seems ODD. Default + Option = Max (which is Default)

There are no flash memory part numbers listed for the 85x.

Thing is that it is important to remember the purpose of no service-pass. It is to *ensure* that cryptographic keys cannot be recovered from the router. It is going to be tough to work round.

As suggested, get it on smartnet and let cisco deal with it. Or get another one on ebay?

Reply to

i am totally happy with the purpose of the 'service-pass' to prevent recovery of passwords, but this is not what we want to do

do i have it right though that this disables the hardware reset button, which seems to be ignored by the router ?

Reply to
Graham Turner

I think the button only does a cold boot reset - like on a PC. I know that some other network kit does a factory reset but cisco does not as far as I am aware. I have never used it.

Have you tried sending a break in the first 5 seconds after power on?

Firstly make SURE you are sending a break - ideally test on another router.

I suggest then (if using hyperterminal and not using a USB serial port adapter that does not send break) press the key power on the router immediately begin pressing the break key every two seconds do not hammer away at it do this for at least ten seconds

Power off and try again every second.

Some USB serial port adapters do not send break signal Some versions of hyperterminal do not send a break signal. Various different terminal emulators use different keys Macintoshes apparently do not send breaks (but there is a workaround - set very slow baud rate and press some certain key or other)

Why not try for longer too?

Reply to

I am sure that we are sending the break to the router - have tested same sequence on a functional 857.

what i suspect is that the 'no service password-recovery' has done has manipulated the config-register so as to perhaps disable the break ? or perhaps access to the rommon completely ?

Thanks again for notes back

Reply to
Graham Turner

My frail understanding is that no service password-rec disables access to the rommon.

It seems that once IOS starts there is a short period where the serial port is monitored for a break signal which permits entry to the recovery menu which has the option of clearing the config.

So with no IOS and no reasonable way to get one on board you seem to be stuffed.

De-soldering and re-soldering these chips is quite possible for suitably skilled people but on a commercial basis for sure not worth it. Especially if you were to consider dismantling a good router as well!!!

I think they use a hot air gun to heat the board and release/ re-attach the chip. Trick might be to make sure that not too much falls off.

Still, now you have had a course on cisco boot process. Most of the routers/switches are very similar.

Reply to

Graham Turner schrieb:

That's what the docs say about this feature. You can recover by completly erasing the config by sending the break sequence in the first 5 seconds after the [ok] appears after the image is decompressed. But you'll need an working IOS image on the device (or configured TFTP boot a backup image before). Without a decompressed ready to run IOS in RAM there is no (documented or known) way into the box. Smartnet -> RMA.

Reply to
Uli Link

Indeed - one which we will no doubt look back on and smile - thanks for your advices on this

Reply to
Graham Turner

| De-soldering and re-soldering these chips is quite possible | for suitably skilled people but on a commercial basis for | sure not worth it. Especially if you were to consider | dismantling a good router as well!!!

You can usually get around this kind of thing without unsoldering (or at least without fully unsoldering) anything by convincing the box that the saved configuration is corrupt. I don't know what the 857 uses for configuration storage but NVRAM, eeprom, and flash parameter blocks are common. If the architecture isolates the various busses you can often simply ground an address line on the memory device to confuse the box into thinking the configuration is bogus. This is most tricky on flash devices where the boot block is also being used to, well, boot... It helps to get the data sheet for the flash device to see the sector architecture which will in turn allow you to select good candidate address lines. If the busses are not isolated you may need to lift a pin, but don't ignore the possibility of glitching a chip enable pin to take the whole device out of memory space at the right time.

Dan Lanciani ddl@danlan.*com

Reply to
Dan Lanciani Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.