Cisco 1921 ISR Password Recovery

djfunz

Here's an interesting conundrum. I've performed password recoveries on a number of routers in the past but the 1921 is proving very difficult.

Unfortunately the previous company disabled the password recovery function. I attempted to Ctrl+Break after the IOS image decompresses to no avail. I even found a blog that states that removing the NVRAM daughter board would restore factory defaults allowing one to access ROMMON.

Break sequence on a Cisco 1921 ISR

Up to this point nothing has worked and I was wondering if anyone here has experience with this scenario. Thanks in advance.

networker050184

Have you tried this?

Cisco wrote:

• Another method is to reload or boot the router with console access, and press CTRL-BREAK within five to ten seconds of the Cisco IOS software image decompressing or roughly when the "Image text-base:... " part of the banner begins. You are then prompted to reset the router to factory default (erase start-up configuration).

System Bootstrap, Version 11.1(19)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)Copyright (c) 1998 by Cisco Systems, Inc.C3600 processor with 65536 Kbytes of main memoryMain memory is configured to 64 bit mode with parity enabledPASSWORD RECOVERY FUNCTIONALITY IS DISABLEDprogram load complete, entry point: 0x80008000, size: 0x10ce394Self decompressing the image : ######################################################################################################################################################################################################################## [OK]Smart Init is disabled. IOMEM set to: 10 Using iomem percentage: 10Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.Cisco Systems, Inc.170 West Tasman DriveSan Jose, California 95134-1706Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-IS-M), Version 12.3(3), RELEASE SOFTWARE (fc2)Copyright (c) 1986-2003 by Cisco Systems, Inc.Compiled Mon 18-Aug-03 19:03 by dchihImage text-base: 0x60008950, data-base: 0x61B3E000PASSWORD RECOVERY IS DISABLEDDo you want to reset the router to factory defaultconfiguration and proceed [y/n] ?Reset router configuration to factory default.Cisco 3640 (R4700) processor (revision 0x00) with 59392K/6144K bytes of memory.Processor board ID 09196037R4700 CPU at 100Mhz, Implementation 33, Rev 1.0Bridging software.X.25 software, Version 3.0.0.SuperLAT software (copyright 1990 by Meridian Technology Corp).2 Ethernet/IEEE 802.3 interface(s)2 Voice FXO interface(s)2 Voice FXS interface(s)DRAM configuration is 64 bits wide with parity enabled.125K bytes of non-volatile configuration memory.8192K bytes of processor board System flash (Read/Write)8192K bytes of processor board PCMCIA Slot0 flash (Read/Write)20480K bytes of processor board PCMCIA Slot1 flash (Read/Write)[OK][OK]SETUP: new interface Ethernet0/0 placed in "shutdown" stateSETUP: new interface Ethernet1/0 placed in "shutdown" statePress RETURN to get started!Router>

The no service password-recovery Command for Secure ROMMON Configuration Example - Cisco Systems

bbarrick

[h=2][/h]Will this help?


Break key sequence simulation is useful if your terminal emulator does not support the break key, or if a bug does not allow your terminal emulator to send the correct signal.
Note: The hyperterminal under Windows NT had this behavior in the past.
Complete these steps to simulate a break key sequence:

1. Connect to the router with these terminal settings:
   1200 baud rate
   No parity
   8 data bits
   1 stop bit
   No flow control
   You no longer see any output on your screen, and this is normal.
   
2. Power cycle (switch off and then on) the router and press the SPACEBAR for 10-15 seconds in order to generate a signal similar to the break sequence.
   
3. Disconnect your terminal, and reconnect with a 9600 baud rate. You enter the ROM Monitor mode.

If all these methods fail to properly send a break, retry the procedures from a different terminal or PC platform.

djfunz

Yeah, I attempted to Ctrl+Break after the IOS image decompresses to no avail. I was looking further and was hoping that removal of the Li-Ion cell along with the removal of the daughter board would wipe the contents of the NVRAM. It looks like the cell is soldered to the PCB.

Cisco docs seem to confirm this by stating: If the lithium battery in a Cisco 1900 ISR should fail, the router must be returned to Cisco for repair.

I'm using Secure CRT and have no issues implementing the break command with other routers. The real issue seems to be with the password recovery function being disabled with these particular routers.

djfunz

Ok, it appears to be strictly a timing issue. I apparently didn't try enough.

IOMEM up to: 32Mb.Using 6 percent iomem. [32Mb/512Mb]


PASSWORD RECOVERY IS DISABLED.
Do you want to reset the router to factory default
configuration and proceed [y/n] ?
Reset router configuration to factory default.

The trick I used was to mash the keys tons as soon as the IOS started decompressing. It then asks "Do you want to reset the router to factory default?" It's important to actually hit "y" here otherwise it will continue to boot.

Thanks for the responses guys. Hopefully this thread will help others in the future.

networker050184

I usually end up using the mash it over and over again method too on stuff like this. Glad you figured it out!

everest

Hi, I have the same problem. I tried what you have suggested but no luck. I suing 1921 router. Hope you can help me. Thanks. my email: wesley_26k at yahoo dot com.

prakhar

using spacebar works awesome.
perrfect solution.
resolved my problem in 5 minutes.
thanks alot

Fulcrum45

Wayyyyy late to the party on this one but I just picked up a Cisco 1921 and this thread helped a lot. Thanks again!