cisco 3600 router reset w/password recovery disable 1

[mrttn]

hi, anyone know how to reset the cisco 3600 router back to manufacture default settings or reset the password being that the password recovery is disabled?

here's the ISO version:

System Bootstrap, Version 11.1(17)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)

Copyright (c) 1998 by cisco Systems, Inc.

C3600 processor with 131072 Kbytes of main memory

Main memory is configured to 64 bit mode with parity disabled



PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

program load complete, entry point: 0x80008000, size: 0x6059ac

Self decompressing the image : ############################################################## [OK]




Smart Init is enabled

smart init is sizing iomem

ID MEMORY_REQ TYPE

0000D8 0X00178610 Dual Fast Ethernet Combo Port Module, 2 WAN

0000D8 0X00178610 Dual Fast Ethernet Combo Port Module, 2 WAN

0000D9 0X00143210 Fast Ethernet Combo Port Module, 1 Token Ring, 2 WAN

0X000F3BB0 public buffer pools

0X00211000 public particle pools

TOTAL: 0X007389E0



If any of the above Memory Requirements are

"UNKNOWN", you may be using an unsupported

configuration or there is a software problem and

system operation may be compromised.

Rounded IOMEM up to: 8Mb.

Using 6 percent iomem. [8Mb/128Mb]



Restricted Rights Legend



Use, duplication, or disclosure by the Government is

subject to restrictions as set forth in subparagraph

(c) of the Commercial Computer Software - Restricted

Rights clause at FAR sec. 52.227-19 and subparagraph

(c) (1) (ii) of the Rights in Technical Data and Computer

Software clause at DFARS sec. 252.227-7013.



cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706







Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-I-M), Version 12.2(37), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2006 by cisco Systems, Inc.

Compiled Thu 15-Jun-06 17:36 by pwade

Image text-base: 0x60008930, data-base: 0x60A3E000



cisco 3640 (R4700) processor (revision 0x00) with 122880K/8192K bytes of memory.

Processor board ID 07991272

R4700 CPU at 100Mhz, Implementation 33, Rev 1.0

Bridging software.

X.25 software, Version 3.0.0.

5 FastEthernet/IEEE 802.3 interface(s)

1 Token Ring/IEEE 802.5 interface(s)

DRAM configuration is 64 bits wide with parity disabled.

125K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)







Press RETURN to get started!





00:00:12: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up

00:00:12: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

00:00:12: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up

00:00:12: %LINK-3-UPDOWN: Interface FastEthernet1/1, changed state to up

00:00:13: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up

00:00:13: %SYS-5-CONFIG_I: Configured from memory by console

00:00:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down

00:00:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

00:00:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down

00:00:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/1, changed state to down

00:00:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0, changed state to down

00:00:15: %SYS-5-RESTART: System restarted --

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-I-M), Version 12.2(37), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2006 by cisco Systems, Inc.

Compiled Thu 15-Jun-06 17:36 by pwade

00:00:15: %SNMP-5-COLDSTART: SNMP agent on host doctor is undergoing a cold start

00:00:15: %LINK-5-CHANGED: Interface FastEthernet1/1, changed state to administratively down

00:00:15: %LINK-5-CHANGED: Interface FastEthernet2/0, changed state to administratively down

00:00:15: %LINK-5-CHANGED: Interface TokenRing2/0, changed state to administratively down

00:00:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface TokenRing2/0, changed state to down

doctor>

doctor>show version

Cisco Internetwork Operating System Software

IOS (tm) 3600 Software (C3640-I-M), Version 12.2(37), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2006 by cisco Systems, Inc.

Compiled Thu 15-Jun-06 17:36 by pwade

Image text-base: 0x60008930, data-base: 0x60A3E000



ROM: System Bootstrap, Version 11.1(17)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)



doctor uptime is 1 minute

System returned to ROM by power-on

System image file is "flash:c3640-i-mz.122-37.bin"



cisco 3640 (R4700) processor (revision 0x00) with 122880K/8192K bytes of memory.

Processor board ID 07991272

R4700 CPU at 100Mhz, Implementation 33, Rev 1.0

Bridging software.

X.25 software, Version 3.0.0.

5 FastEthernet/IEEE 802.3 interface(s)

1 Token Ring/IEEE 802.5 interface(s)

DRAM configuration is 64 bits wide with parity disabled.

125K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

--More--  

--More--  Configuration register is 0x2104

--More--  

doctor>

thanks a lot.

 

[burtsbees]

If you get the message that password recovery functionality is disabled, you are screwed. That NVRAM chip is useless (where the config and therefore functionality commands are stored).

Let me see something here to verify whether or not the NVRAM chip can be replaced as a solution (and it would be your ONLY solution)...

Burt

 

[burtsbees]

Okay---did a little experiment---

THIS IS NOT RECOMMENDED IN ANY OTHER CASE!!!

I did this because in a real world case, you would have a paper weight anyway. I have a surplus of 2610's that I don't necessarily care about, but good for a lab. Mrttn---this is your only choice here! Replacing NVRAM does work. The 2600 series and 3600 series are both the same BOOTROM and NVRAM---the 2600, the NVRAM is the socketed rectangular chip (about 1"X3/4") closest to the fan. Here are my notes with output...

Router#erase start
[OK]
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-regist 0x2102
Router(config)#line con 0
Router(config-line)#exi
Router(config)#line con 0
Router(config-line)#login loc
Router(config-line)#exi
Router(config)#username cisco
Router(config)#username cisco priv 15 secret fubar
^
% Invalid input detected at '^' marker.

Router(config)#username cisco priv 15 password fubar
Router(config)#line vty 0 4
Router(config-line)#login local
Router(config-line)#exi
Router(config)#enable secret fubar
Router(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: y
Router(config)#end
Router#wr
Building configuration...

00:05:06: %SYS-5-CONFIG_I: Configured from console by console[OK]
Router#
Router#
Router#I AM NOW GOING TO SHUT THE ROUTER OFF/ON, AND TRY A BREAK...
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0
C2600 platform with 24576 Kbytes of main memory

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : ##############PC = 0x800094b8, Vector = 0x500, SP = 0x817ff8b8
################PC = 0x80009fac, Vector = 0x500, SP = 0x817ff8c0
##################PC = 0x80009884, Vector = 0x500, SP = 0x817ff8b0
#####################################################################################################PC = 0x8000a060, Vector = 0x500, SP = 0x817ff8c0
##############PC = 0x80009fb0, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x8000a08c, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x8000a074, Vector = 0x500, SP = 0x817ff8c0
#####################################################################################PC = 0x8000b120, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x800094d8, Vector = 0x500, SP = 0x817ff8b8
################PC = 0x80009f84, Vector = 0x500, SP = 0x817ff8c0
###############PC = 0x80009888, Vector = 0x500, SP = 0x817ff8b0
###########################PC = 0x80009f74, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x800094c8, Vector = 0x500, SP = 0x817ff8b8
##############PC = 0x8000a07c, Vector = 0x500, SP = 0x817ff8c0
######PC = 0x80009f74, Vector = 0x500, SP = 0x817ff8c0
##########PC = 0x8000b168, Vector = 0x500, SP = 0x817ff8c0
###################################### [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
Image text-base: 0x80008084, data-base: 0x8082C820

cisco 2610 (MPC860) processor (revision 0x202) with 18432K/6144K bytes of memory.
Processor board ID JAB031005NA (3539975794)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)



Press RETURN to get started!


00:00:12: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
00:00:12: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:00:12: %SYS-5-CONFIG_I: Configured from memory by console
00:00:12: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
00:00:13: %LINEPROTO-5-UP

User Access Verification

Username: DOWN: Line protocol on Interface Ethernet0/0, changed state to down
00:00:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
00:00:14: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
Username: I AM NOW GOING TO REPLACE THE NVRAM CHIP
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 24576 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : ##################PC = 0xfff0a530, Vector = 0x500, SP = 0x817ff8c0

monitor: command "boot" aborted due to user interrupt
rommon 1 >WE KNOW THAT WORKS...NOW WHAT?

***HERE IS WHERE I SHUT IT OFF, UNPLUG IT, REMOVE THE NVRAM CHIP, PLUG IT BACK IN, AND TURN IT ON...***

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info

Warning: monitor nvram area is corrupt ... using default values
environment write to NVRAM failed
C2600 platform with 24576 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : #######################################################################################################################
######################################################################################################################################################
######################################################################################################################################################
###########PC = 0xfff0a530, Vector = 0x500, SP = 0x817ff8c0

***GREAT---WE KNOW IT WILL BOOT THE IOS WITHOUT THE NVRAM CHIP, BUT---WE NEED NVRAM!!! HERE IS WHERE I DO SOMETHING I DO NOT NECESSARILY RECOMMEND!!!!! I ISSUE A BREAK, CHANGE THE CONFIG REGISTER IN ROMMON, THEN WHILE THE ROUTER IS STILL ON, I REPLACE THE NVRAM CHIP THAT HAS THE "NO SERVICE PASSWORD-RECOVERY" COMMAND ON IT!!!

monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 2142

NOW I PLUG THE NVRAM CHIP BACK IN WHILE THE ROUTER IS STILL UP!!! CRAZY, I KNOW!!! BUT I MIGHT AS WELL---I'M GOING TO HAVE A PAPERWEIGHT ANYWAY!!!

You must reset or power cycle for new config to take effect
rommon 2 > reset

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 24576 Kbytes of main memory

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

***WELL, I'LL BE! IT DIDN'T SCREW ANYTHING UP! NOTE, THE MESSAGE ABOUT PASSWORD RECOVERY IS STILL THERE!***
program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : #######################################################################################################################
######################################################################################################################################################
######################################################################################################################################################
####################### [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
Image text-base: 0x80008084, data-base: 0x8082C820

cisco 2610 (MPC860) processor (revision 0x202) with 18432K/6144K bytes of memory.
Processor board ID JAB031109Y5 (2434955184)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)



--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n


Press RETURN to get started!


00:00:12: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:00:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
00:00:16: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
00:00:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state
Router>to down
00:00:18: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
Router>en
Router#copy start run

interface Serial0/0
^
% Invalid input detected at '^' marker.

no ip address
% Incomplete command.

shutdown
^
% Invalid input detected at '^' marker.

Router#
00:00:32: %SYS-5-CONFIG_I: Configured from memory by console
Router#sh run
Building configuration...

Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service password-recovery
!
hostname Router
!
enable secret 5 $1$TjLj$s4PEpQOlksgavg0/VRB4..
!
username cisco privilege 15 password 0 fubar
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
!
ip classless
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
!
no scheduler allocate
end

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-recovery
Router(config)#exi
Router#wr
Building configuration...

00:01:01: %SYS-5-CONFIG_I: Configured from console by console[OK]
Router#THERE YOU HAVE IT! IT WORKED, AND I DO NOT HAVE A PAPERWEIGHT AFTER ALL!!!

Burt

 

[burtsbees]

Whoops---the Tek-Tips server reset (got that error message in Firefoix), and I did not think that my reply posted. I fixed a few things to make it easier to read...here you are...

Router#erase start
[OK]
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#config-regist 0x2102
Router(config)#line con 0
Router(config-line)#exi
Router(config)#line con 0
Router(config-line)#login loc
Router(config-line)#exi
Router(config)#username cisco
Router(config)#username cisco priv 15 secret fubar
^
% Invalid input detected at '^' marker.

Router(config)#username cisco priv 15 password fubar
Router(config)#line vty 0 4
Router(config-line)#login local
Router(config-line)#exi
Router(config)#enable secret fubar
Router(config)#no service password-recovery
WARNING:
Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for
password recovery.

Are you sure you want to continue? [yes/no]: y
Router(config)#end
Router#wr
Building configuration...

00:05:06: %SYS-5-CONFIG_I: Configured from console by console[OK]
Router#
Router#
Router#I AM NOW GOING TO SHUT THE ROUTER OFF/ON, AND TRY A BREAK...
System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0
PC = 0xfff14ee8, Vector = 0x500, SP = 0x680127b0
C2600 platform with 24576 Kbytes of main memory

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : ##############PC = 0x800094b8, Vector = 0x500, SP = 0x817ff8b8
################PC = 0x80009fac, Vector = 0x500, SP = 0x817ff8c0
##################PC = 0x80009884, Vector = 0x500, SP = 0x817ff8b0
#####################################################################################################PC = 0x8000a060, Vector = 0x500, SP = 0x817ff8c0
##############PC = 0x80009fb0, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x8000a08c, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x8000a074, Vector = 0x500, SP = 0x817ff8c0
#####################################################################################PC = 0x8000b120, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x800094d8, Vector = 0x500, SP = 0x817ff8b8
################PC = 0x80009f84, Vector = 0x500, SP = 0x817ff8c0
###############PC = 0x80009888, Vector = 0x500, SP = 0x817ff8b0
###########################PC = 0x80009f74, Vector = 0x500, SP = 0x817ff8c0
#################PC = 0x800094c8, Vector = 0x500, SP = 0x817ff8b8
##############PC = 0x8000a07c, Vector = 0x500, SP = 0x817ff8c0
######PC = 0x80009f74, Vector = 0x500, SP = 0x817ff8c0
##########PC = 0x8000b168, Vector = 0x500, SP = 0x817ff8c0
###################################### [OK]

OKAY---TRIED A BREAK SEVERAL TIMES TO NO AVAIL...

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
Image text-base: 0x80008084, data-base: 0x8082C820

cisco 2610 (MPC860) processor (revision 0x202) with 18432K/6144K bytes of memory.
Processor board ID JAB031005NA (3539975794)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)



Press RETURN to get started!


00:00:12: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
00:00:12: %LINK-3-UPDOWN: Interface Serial0/0, changed state to down
00:00:12: %SYS-5-CONFIG_I: Configured from memory by console
00:00:12: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
00:00:13: %LINEPROTO-5-UP

User Access Verification

Username: DOWN: Line protocol on Interface Ethernet0/0, changed state to down
00:00:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
00:00:14: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
Username:

***I AM NOW GOING TO REPLACE THE NVRAM CHIP***

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 24576 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : ##################PC = 0xfff0a530, Vector = 0x500, SP = 0x817ff8c0

monitor: command "boot" aborted due to user interrupt
rommon 1 >

*****WE KNOW THAT WORKS...NOW WHAT?******

***HERE IS WHERE I SHUT IT OFF, UNPLUG IT, REMOVE THE NVRAM CHIP, PLUG IT BACK IN, AND TURN IT ON...***

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info


***NOTE THE FOLLOWING ERROR DURING BOOTSTRAP***

Warning: monitor nvram area is corrupt ... using default values
environment write to NVRAM failed
C2600 platform with 24576 Kbytes of main memory

program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : #######################################################################################################################
######################################################################################################################################################
######################################################################################################################################################
###########PC = 0xfff0a530, Vector = 0x500, SP = 0x817ff8c0

***GREAT---WE KNOW IT WILL BOOT THE IOS WITHOUT THE NVRAM CHIP, BUT---WE NEED NVRAM!!! HERE IS WHERE I DO SOMETHING I DO NOT NECESSARILY RECOMMEND!!!!! I ISSUE A BREAK, CHANGE THE CONFIG REGISTER IN ROMMON, THEN WHILE THE ROUTER IS STILL ON, I REPLACE THE NVRAM CHIP THAT HAS THE "NO SERVICE PASSWORD-RECOVERY" COMMAND ON IT!!!

monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 2142

NOW I PLUG THE NVRAM CHIP BACK IN WHILE THE ROUTER IS STILL UP!!! CRAZY, I KNOW!!! BUT I MIGHT AS WELL---I'M GOING TO HAVE A PAPERWEIGHT ANYWAY!!!

You must reset or power cycle for new config to take effect
rommon 2 > reset

System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
TAC:Home:SW:IOS:Specials for info
C2600 platform with 24576 Kbytes of main memory

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

***WELL, I'LL BE! IT DIDN'T SCREW ANYTHING UP! NOTE, THE MESSAGE ABOUT PASSWORD RECOVERY IS STILL THERE!***

program load complete, entry point: 0x80008000, size: 0x47935c
Self decompressing the image : #######################################################################################################################
######################################################################################################################################################
######################################################################################################################################################
####################### [OK]

Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
Image text-base: 0x80008084, data-base: 0x8082C820

cisco 2610 (MPC860) processor (revision 0x202) with 18432K/6144K bytes of memory.
Processor board ID JAB031109Y5 (2434955184)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)



--- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n


Press RETURN to get started!


00:00:12: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up
00:00:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to up
00:00:16: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 11.3(7)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Tue 01-Dec-98 12:31 by ccai
00:00:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state
Router>to down
00:00:18: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
Router>en
Router#copy start run

interface Serial0/0
^
% Invalid input detected at '^' marker.

no ip address
% Incomplete command.

shutdown
^
% Invalid input detected at '^' marker.

***HERE IS WHERE YOU CAN EITHER CHANGE THE PASSWORDS OR ISSUE A SH RUN HOPING THAT THE "SERVICE PASSWORD-ENCRYPTION" HAS NEVER BEEN ISSUED, OR "ENABLE SECRET" HAS NEVER BEEN ISSUED. SINCE I KNOW MY OWN PASSWORDS, I WILL SIMPLY DO A SH RUN...***

Router#
00:00:32: %SYS-5-CONFIG_I: Configured from memory by console
Router#sh run
Building configuration...

Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service password-recovery
!
hostname Router
!
enable secret 5 $1$TjLj$s4PEpQOlksgavg0/VRB4..
!
username cisco privilege 15 password 0 fubar
!
!
!
!
interface Ethernet0/0
no ip address
shutdown
!
ip classless
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
!
no scheduler allocate
end

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#service password-recovery
Router(config)#exi
Router#wr
Building configuration...

00:01:01: %SYS-5-CONFIG_I: Configured from console by console[OK]

Router#THERE YOU HAVE IT! IT WORKED, AND I DO NOT HAVE A PAPERWEIGHT AFTER ALL!!!

Burt

 

[mrttn]

first, I like to thanks Burt for helping.

so I opened the box and can't tell which is the NVRAM chip. there are actually two fans and four chips that appear to be detachable but none near to the fans. also, I can't get the step 1 going ..."#erase start" your note shown the "#" prompt and mine have the ">" prompt. I think I'll get the "#" prompt when successfully login, but I can't because I don't know the password and that is why I am trying to reset the box.

any thoughts?

 

[burtsbees]

Well, let's start by answering this...

Notice in the output I posted while the router is booting...

"PASSWORD RECOVERY FUNCTIONALITY IS DISABLED"

Do you get this? Also, I indicated where the NVRAM chip is located in a 2600 series router. I only have one 3600 series, and I am currently using it as my office's edge router, so I cannot experiment with this.

Burt

 

[CiscoGuy33]

mrttn,

First you THANK Burt by clicking the "link" at the bottom of any of his posts and give him a "Pink Star" for this very good advice !!!

Thank burtsbees
for this valuable post!


As for finding the NVRAM - GOOGLE is a WONDERFULL thing, why don't more people USE it -

On the Cisco 3640 and 3660 routers only, the NVRAM chip may be removed and reinstalled in order to erase the configuration. This is possible on these models because a separate battery holds the configuration, and when the chip is removed, the configuration is lost. The silkscreen on the motherboard will identify it as "NVRAM". Be sure to use proper anti-static procedures when handling NVRAM. This procedure does not work on the Cisco 1700, 2600, or 3620 models and should be done only as a last resort if no Cisco IOS image is present in Flash.

You might want to read the whole procedure, seems that you can get into EVEN with the no service password-recovery set -

Title:
Cannot break to ROMmon because the no service password-recovery command has been configured - Ciscowiki

Core Issue:
If the no service password-recovery command has been configured on a router, the break sequence will no longer work in order to get to ROM Monitor (ROMmon) mode to perform a password recovery. If this feature is enabled, the following message is displayed at bootup, indicating that the password recovery functionality is disabled.

System Bootstrap, Version 11.1(4675) [kluk 143], INTERIM SOFTWARE
Copyright (c) 1994-1996 by cisco Systems, Inc.
C3600 processor with 32768 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled

PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x2733f4
Recovery from this state is possible. However, the startup configuration in NVRAM will be lost.

Resolution:
If a Cisco 1700, 2600, 3600, or 3700 series router has been configured with the no service password-recovery command and the enable password is not known, perform the following steps in order to recover the password:

Boot the system.
After the Cisco IOS® image decompresses and shows [OK] (as in the example shown), enter a break sequence within five seconds. Self decompressing the following image: ################################################[OK]For information about the correct break sequence, refer to Standard Break Key Sequence Combinations During Password Recovery.
The router then asks if you want to reset it to the factory default configuration with the following message: PASSWORD RECOVERY IS DISABLED

Do you want to reset the router to factory default
configuration and proceed [y/n] ? y
Reset router configuration to factory default.
The router now boots with no configuration.

http://supportwiki.cisco.com/ViewWi...password-recovery_command_has_been_configured

Hope this helps!

E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[burtsbees]

Gene---hate to break this to you, but I have NEVER seen that wiki thing work. Also, simply removing the NVRAM chip will NOT erase it! Trust me on that one!

Burt

 

[CiscoGuy33]

Burt,

I am trying this on a 2610, I changed the "no service password-recovery" and got the -
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED

I let the router boot and after the ##########################################[OK] I hit control break - normally for password recovery we hit break right away to get into romon, here you wait after the IOS is loading!!!

Do you want to reset the router to factory default
configuration and proceed [y/n] ? but I had added an extra keystroke and was by the place to enter the Y and it would not let me go back.

I got this 3x but each time I had the extra keystoke and was by the place to put it YES

I could not get it to come up everytime, I was trying a combo of just hitting break and holding it down, I will keep playing with it but I DID SEE THE MESSAGE to reset to factory default 3 times!!! It is worth giving a shot.......

As for the 3640, the article said that the NVRAM is powered by a battery on the 3640 and 3660 unlike ALL the others - so pulling the NVRAM as a last ditch effort should clear it if the Cisco wiki is right about the 3640 and 3660.

Just some thoughts and I will report more as I play with this 2610.




E.A. Broda
CCNA, CCDA, CCAI, Network +

 

[burtsbees]

OK...maybe I'm just not that patient...lol

Also, my 3640 is my edge device, so I don't want to accidentally fry NVRAM...

Burt

 

[mrttn]

thanks Ciscoguy33 but I've already tried the "break key sequence" and it didn't work.

I just can't tell which is the NVRAM chip. do you know the label on it?

also, if I buy a pcmcia flash card, how does it works?
does it work like a bootable pc image disc, where you can just wipe everything and install the iso image?

thanks again,

 

[mrttn]

I tried the "break key sequence" again, again and again...again, and it worked.

omg, many thanksssssssssssssssssssssss!!!!!!!!!!!

 

[burtsbees]

Replacing flash will do nothing for you! Read the documents! Try EXACTLY what Gene suggests, and WAIT until the IOS loads ALL THE WAY---you should get the message to switch it to factory defaults. If not, then removing and reseating NVRAM is your ONLY other option, other than what I stated!

"The silkscreen on the motherboard will identify it as "NVRAM"."

Perhaps later I will dismantle my 3640 and find the NVRAM chip!

Burt

 

[CiscoGuy33]

mrttn,

Yeah, it does not do it everytime but I got it 3x out of 9 reboots.

You got to hit it just right, at least I know it can be done!!

So, I guess some of those "bricks" out there can be saved

I found it by "Googling" Cisco 3640 NVRAM

E.A. Broda
CCNA, CCDA, CCAI, Network +