Recovering Passwords of Cisco Router

When you forget the password, changing the configuration register will help you to get back and access router. Bit 6 in the configuration register tell the router whether to the contents of NVRAM to load a router configuration. But in the above example, the default configuration register value is 0x2102 which indicates that bit 6 is off. To recover a password, the user has to turn on bit 6. this indicates the router to ignore the NVRAM contents. When the bit 6 is turned on the configuration register value is 0x2142.

Important steps for password recovery are
    1. Booting up a router and disrupting the boot sequence by pressing Ctrl+break.
    2. Changing the configuration register to turn on bit 6.
    3. Restarting the router and entering into privileged mode.
    4. Copying the startup-config file to running-config and changing the password.
    5. Changing the configuration register to the default value.
    6. Saving the router configuration and rebooting the router.

Interrupting the router boot sequence

The first step in password recovery is to boot a router and perform break. This can be done by pressing Ctrl +Break key while using Hyper Terminal or when router first reboots. The following output is displayed when break is performed

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff0a530, Vector = 0×500, SP = 0×680127b0
C2600 platform with 32768 Kbytes of main memory
PC = 0xfff0a530, Vector = 0×500, SP = 0×80004374
monitor: command “boot” aborted due to user interrupt
rommon 1 >

The rommon 1> prompt is used to recover password.

Changing the configuration register

Enter the command at the rommon 1> prompt to change the bit value on a Cisco 2600 series router:

rommon 1> confreg 0x2142,

To run new configuration, you have to reset the router.

After creating a break sequence on the router, type o to change the configuration register value on 2500 series router. This gives the configuration register option settings menu. To change the configuration register, type o/r command followed by new register value. Turning on bit 6 on Cisco 2502 router is as shown below

System Bootstrap, Version 11.0(10c), SOFTWARE
Copyright (c) 1986-1996 by cisco Systems
2500 processor with 14336 Kbytes of main memory
Abort at 0×1098FEC (PC)
>o
Configuration register = 0×2102 at last boot
Bit# Configuration register option settings:
15 Diagnostic mode disabled
14 IP broadcasts do not have network numbers
13 Boot default ROM software if network boot fails
12-11 Console speed is 9600 baud
10 IP broadcasts with ones
08 Break disabled
07 OEM disabled
06 Ignore configuration disabled
03-00 Boot file is cisco2-2500 (or ‘boot system’ command)
>o/r 0×2142

The last entry in the router output is 03-00 tells the router which IOS boot file is used. By default the router will use the first file located in the flash memory. Change the configuration register or use the system IOS-name command to boot a different file name.

Reloading the Router and Entering Privileged Mode

After changing the configuration register value, you have to reload the router. In this step, you have to reset the router
  • From the 2600 router, type reset.
  • From the 2500 router, type I.

The router will be reloaded and ask whether you want to enter setup mode. Enter No or press Enter to get into user mode and then type enable to enter privileged mode.

Viewing and Changing the configuration

Now you can see that we have passed the step where required to enter user mode and privileged mode password. In this step you have to copy startup-config file into the running- file config with the help of copy startup- conflg running- config or copy start run command. This helps you to enter into privileged mode. You can now view and change the configuration, but you cannot view enable secret password.

Type the commands as shown below to change the password.

Conflg t
enable secret <secret password>

Resetting the configuration Register and Reloading the Router

After changing the password, set the configuration register back to default values using config-register command:

Config t
Config-register 0x2102

Save the new configuration using copy running-config startup-config and reload the router.
Labels: ,

Configuration register values of Cisco Devices


Cisco IOS is the kernel of Cisco routers and most switches. IOS was created to deliver network services an enable networked application. Almost ass Cisco routers run the same IOS but only about half of the switches currently run the Cisco IOS like Catalyst 1900 switch. Cisco IOS and configuration file reside in various locations in the Cisco device and it is very important to understand where these files are places and how they work. In this lesson, you will learn the commands which are used to load Cisco IOS on to the router and how to maintain backup files. In order to configure the Cisco internetwork, you need to understand some of the major components of router. The major components include ROM, RAM. Flash memory, NVRAM and config-register. The configuration register value tells the router to load IOS from the flash memory and it also tells the router to load the configuration from NVRAM. In this lesson, you will learn some of the commands used to verify and change the configuration register. Changing the configuration register value helps you to change the boot sequence and to recover the password. Here in this lesson you will find the steps used to recover the password.

Configuration register values

All Cisco routers have 16-bit software register which is written into NVRAM. The configuration register is set to load Cisco IOS from flash memory and to load startup-config file from NVRAM.

The router checks the system bootstrap information depending on the boot field setting in the configuration register. The default configuration register setting can be changed with the help of global configuration-mode command config-register.

In the below example the configuration register is set so that the router checks the startup file in NVRAM for boot system options. The configuration register is 16-bit register in NVRAM and the lowest 4 bits of the configuration register (bits 3, 2, 1 and 0) form the boot field. The default configuration setting on Cisco router is 0x2102. The 0x tells you that it is in hex and rest of the numbers are the actual settings. The easiest way to understand the configuration register is to convert the hex value into binary. Hexadecimal is base 16, which means that one of the 16 values can be represented with hexadecimal digit. The digits range from 0 through F, with 0 representing the decimal 0 and F representing decimal 15. To convert hex to binary, take each hex digit, convert it into decimal and then convert that into binary, as each hex digit represents four binary digits. The table below shows the conversion from hex to decimal to binary.

Conversions from Hex to decimal to Binary

HEX DECIMAL BINARY
0 0 0000
1 1 0001
2 2 0010
3 3 0011
4 4 0100
5 5 0101
6 6 0110
7 7 0111
8 8 1000
9 9 1001
A 10 1010
B 11 1011
C 12 1100
D 13 1101
E 14 1110
F 15 1111

So, if you want to change the default configuration register value 0x2102, first split the numbers into four individual digits and then convert each digit into binary and then put in correct order again. After converting, you can see that bit 13, 8 and 1 are on. In the table below, you can see that each set of 4 bits is read in binary with value 8, 4, 2 and 1.

Configuration Register Bit Numbers

Configuration Register Setting Router Behavior
0x102
  • Ignores break
  • 9600 console baud
0x1202
  • 1200 baud rate
0x2101
  • Boots into bootstrap
  • Ignores break
  • Boots into ROM if initial boot fails
  • 9600 console baud rate
0x2102
  • Ignores break
  • Boots into ROM if initial boot fails
  • 9600 console baud rate default value for most platforms
0x2120
  • Boots into ROMmon
  • 19200 console speed
0x2122
  • Ignores break
  • Boots into ROM if initial boot fails
  • 19200 console baud rate
0x2124
  • NetBoot
  • Ignores break
  • Boots into ROM if initial boot fails
  • 19200 console speed
0x2142
  • Ignores break
  • Boots into ROM if initial boot fails
  • 9600 console baud rate
  • Ignores the contents of Non-Volatile RAM (NVRAM) (ignores configuration)
0x2902
  • Ignores break
  • Boots into ROM if initial boot fails
  • 4800 console baud rate
0x2922
  • Ignores break
  • Boots into ROM if initial boot fails
  • 38400 console baud rate
0x3122
  • Ignores break
  • Boots into ROM if initial boot fails
  • 57600 console baud rate
0x3902
  • Ignores break
  • Boots into ROM if initial boot fails
  • 2400 console baud rate
0x3922
  • Ignores break
  • Boots into ROM if initial boot fails
  • 115200 console baud rate

( If the value you have for the configuration register is not in the table, then determine which bits are set in order to compute the value )

The table below lists the software configuration bit meanings. You can see that the default value sets the router to boot to ROM if network boot fails (bit 13), disables the break function in bit 8 and sets the router to boot normally (bit 0-3).

Software configuration meanings

Bit Number Hex Meaning
00-03 0x0000-0x000F Boots Field Parameters:
  • 0x0000 - Stays at the system bootstrap prompt.
  • 0x0001 - Boots the first system image in onboard Flash memory (EPROM).
  • 0x0002-0x000F- Specifies a default netboot filename. Enables boot system commands that override the default netboot filename.
06 0x0040
  • Ignore NVRAM contents
07 0x0080
  • Disable boot messages
08 0x0100
  • Break disabled
10 0x0400
  • IP broadcast with all zeros
5,11,12 0x0020, 0x0800, 0x1000
  • Console line speed
13 0x2000
  • Boots default ROM software if network boot fails
14 0x4000
  • IP broadcasts do not have net numbers
15 0x8000
  • Enables diagnostic messages
  • Ignores NVRAM contents

Note: Remember bit 4, 5 and 9 are reserved.

The boot field consists of bits 0-3 in the configuration register, controls the router boot sequence. Table describes the boot field bits.

The Boot system command

Value of boot field Meaning Description
0x---0 ROM Monitor mode To boot to ROM monitor mode, set the configuration register value to 2100. You have to manually boot the router by using “b” command. The prompt will rommon >
0x---1 Boot image from ROM To boot an IOS image stored in ROM, set the configuration register to 2011. The router shows the prompt router(boot)>
0x---2 to 0x---F Specifies the default boot file name Anyvalue from 2101 to 210F indicaes that the router use the boot commands speciies in NVRAM

Checking the current Configuration Register Value

The current value of the configuration register can be viewed by using show version command (sh version or sh ver). The show version command also displays the hardware configuration information, software version, names and sources of configuration file and boot image on a router. For example;


Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) 2500 Software (C2500-JS-L), Version 12.1(5), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 25-Oct-00 05:18 by cmong
Image text-base: 0x03071DB0, data-base: 0x00001000
ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1)
Router uptime is 7 minutes
System returned to ROM by reload
System image file is "flash:c2500-js-l_121-5.bin"
cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 03867477, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Token Ring/IEEE 802.5 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2142

In this example, the configuration register value is 0x2102 and it is default setting. It indicates the router to look for the boot sequence in NVRAM. The show version command also gives the IOS version and in this example it is 12.1(5).

Changing the Configuration Register

Configuration register value can be changed to modify how router boots and runs. Configuration register value can be changed by using config-register command. The commands in the example below tell the router to boot a small IOS from ROM monitor mode and it also shows the current configuration register value.

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#config
Router(config)#config-register 0x2102
Router(config)#end
Router#show version
Cisco Internetwork Operating System Software 
IOS (tm) 2500 Software (C2500-JS-L), Version 12.1(5), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Wed 25-Oct-00 05:18 by cmong
Image text-base: 0x03071DB0, data-base: 0x00001000
ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE
BOOTFLASH: 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1)
Router uptime is 11 minutes
System returned to ROM by reload
System image file is "flash:c2500-js-l_121-5.bin"
cisco 2500 (68030) processor (revision D) with 16384K/2048K bytes of memory.
Processor board ID 03867477, with hardware revision 00000000
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
1 Token Ring/IEEE 802.5 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read ONLY)
Configuration register is 0x2142 (will be 0x2102 at next reload)
The new configuration register setting becomes active once the router reloads.
Router#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]
Labels: , ,