Research and Practice of Cisco Series vro password recovery

Research and Practice of Cisco Series vro password recovery

1. Password Recovery Principle

(1) The Cisco router stores several different configuration parameters and stores them in different memory modules. Cisco Series routers have five types of memory: Rom, flash memory, Ram, immutable ram, and dynamic memory (Dram) (see table 1 ). Generally, when a vrodram starts, it first runs the program in ROM, conducts system self-check and boot, then runs the ISO in flash, searches for vro configuration in NVRAM, and loads it into dram.

(2) The key to password recovery is to modify the configuration register value (see table 2) so that the vro can call different parameter tables from different memories for start-up. Valid passwords are stored in NVRAM. Therefore, the essence of the password modification is that the registration code does not work first, so that it can be started directly. After the password is modified, the registration code is restored (for example, if you forget to recover it, the configuration modified after the vro is restarted may be lost ).

Memory Function

The boot program of the RoM storage system, similar to the BIOS of a PC, is a read-only memory. The system power-down program will not lose the flash memory to store the Cisco IOS image, similar to the hard disk of a PC, it is a erasable and programmable Rom, and the system power loss data will not lose the NVRAM storage configuration file (startupconfig) Ram to store the current system configuration (runningconfig) DRAM mainly includes the route table, ARP cache, fastswitch cache, and data packet cache. It also contains the configuration file in progress. If the system powers down, the memory data will be lost in Table 2cisco series router configuration login code.

Meaning of configuration register value

0x2102 default settings

Bit13 = 0x2000flash boot failure 5 times, automatically boot from Rom

Bit8 = 0x0100 disable the Break Key

Boot field = 0x20x2101 boot normal operation mode from flash

Bit13 = 0x2000flash boot failure 5 times, automatically boot from Rom

Bit8 = 0x0100 disable the Break Key

Boot field = 0x10x142 enter boot Rom running mode router (BOOT)>

Bit8 = 0x0040 enter the boot monitor running mode> or rommon>

Boot field = 0x2 boot normal operation mode from flash

2. Preparations

When designing a router product, the manufacturer reserves a console, which is an important interface for vro configuration and the first step for password recovery: connect the terminal or PC with the Super Terminal software to the Console port of the vro by using the db25 forwarding interface and crossover line. The terminal parameter settings are as follows: Speed: 9 600 bps; Data bit: 8; parity bit: none; stop bit: 1; traffic control: none. 1.

3800 series routers (taking 801 as an example)

(1) press the interrupt key Ctrl + break within 60 s of startup. If the break is blocked, you can use the cyclic Boot Method to enable the device to enter the ROM monitor status, the prompt number is "> ".

(2) enter the set command in ROM monitor:

Write down the current iOS-conf value, which is 0x2102.

Boot # Set

......

Set prompt = "Boot"

Set iOS-conf = 0x2102

(3) enter SET iOS-conf 142, as shown in the following figure: boot # Set iOS-conf 142.

(4) enter the boot system. If the device requires Initialization Configuration During the restart process, answer "no" all the way, as shown below:

Boot # boot

......

8 Kbytes of nonvolatile Configuration

Memory

8 Mbytes of flash on board (4 m from flash card)

-- System configuration dialog --

Wocould you like to enter the initial configuration dialog? [Yes/No]: N

Press Reture to get started! (Press ENTER)

(5) Enter, enable, and then press enter to enter the Enable status. The command sequence is as follows:

Router> en

Router #

(6) Input config MEM, call the original configuration file, and enter the configuration mode (Note: Do not use conf T). The command sequence is as follows:

Router # conf mem

801 (config )#

(7) restore the original configuration register value and activate all ports:

801 # configure Terminal

801 (config) # configregister0x2102

801 (config) # interface xx

801 (config) # No shutdow

(8) query and record the lost password:

801 # Show configuration (show startupconfig)

(9) modify the password:

801 # configure Terminal

801 (config) line console 0

801 (configline) # Login

801 (configline) # password XXXXXXXXX

801 (configline )#

801 (configline) # write memory (copy runningconfig startupconfig)

Detailed operation method of 4cisco2500 series routers (taking 2509 as an example)

(1) press the interrupt key Ctrl + break within 60 s of startup. If the break is blocked, you can use the cyclic Boot Method to enable the device to enter the ROM monitor status.

(2) input the O command in ROM monitor:

> O

Configuration register = 0x2102

At last boot

......

Write down the current configuration register value, which is 0x2102, usually 0x2102 or 0x102. If you cannot obtain the prompt using the command, you can view a vro similar to this to obtain the value of the configuration register or try 0x2102.

(3) Enter "> O/R 0x0142" and update the configuration register value so that the configuration file is skipped during vro startup and the original password does not work. The specific operations are as follows:

> O/R 0x0142

(4) restart the vro:

> I

Rommon 2> Reset

(5) In "setup" mode, answer "no" to all questions"

(6) enter the privileged mode:

Router> enable

(7) download NVRAM

Router> Configure memory

(8) restore the original configuration register value and activate all ports:

2509 # configure Terminal

2509 (config) # configregister 0x2102

2509 (config) # interface xx

2509 (config) # No Shutdown

(9) query and record the lost password:

2509 # Show configuration (show startupconfig)

(10) modify the password:

2509 # configure Terminal

2509 (config) line console 0

2509 (configline) # Login

2509 (configline) # password xxxxxxx

2509 (configline )#

2509 (configline) # write memory (copyrunningconfigstartupconfig)

5cisco2600 series routers (taking 2611 as an example)

(1) connect the router port to the computer serial port, start the computer Super Terminal, enable the router power, and press the router to enter the status within 60 s after the router is started. Prompt: rommon1>

(2) Enter conf Reg 0x42 in rommon, as shown below:

Rommon 1> conf Reg 0x42

(3) input the reset command as follows:

Rommon 2> Reset

(4) When the dialog configuration prompt is displayed, "no" is returned. (If "yes" is entered by mistake, press Ctrl + C to exit immediately. "Press return to get started!" appears !" Press enter to enter Rom mode router>.

(5) enter the "enable" command to enter the exec state, and enter "router # Show config" to view the original vro configuration and password without a password. We recommend that you back up a text file immediately, to avoid the loss of original vro configurations due to misoperations.

(6) download NVRAM and load the parameter table in NVRAM mode into the memory:

Router # configuration memory

(7) The change must be written into NVRAM. Otherwise, the original vro configuration will be lost and the password change will be invalid:

Router # write memory

(8) restore the registration code found in step 1, which is generally 0 x 3rd (that is, starting from the flash memory normally and shielding the interruption ), activate all ports (the system automatically shutdown all ports ):

Router # configregister 0x2102

Router? (Config) # interface xx

Router (configif) # No Shutdown

Router (configif) # Ctrl-z

(9) restart the router: Router # reload.

63600 series routers (taking 3640 as an example)

3640 password recovery is similar to the 26 series. It enters the monitoring mode and runs the conf Reg command. When started, the configuration file is ignored for Direct start. This method is also applicable to vrouters 4500, 7500, and 12000.

Methods for changing the ROM status of a 7cisco series router

There are different methods for Cisco routers to enter the ROM status, but generally the following three methods can be used to enter the ROM status. during use, you can try them separately.

(1) If the break is not blocked, press Ctrl + break within 60 s to stop the startup process and enter the ROM status.

(2) If the Break Key is blocked, you can use the cyclic Boot Method to enter the ROM status. The method is: after the vro is started, the power supply is turned off and the instance is restarted after 5 seconds, generally, it enters the ROM status. This method applies to vrouters such as 7500 and 12000.

(3) set the communication baud rate of the Super Terminal to 1200, data bit 8, parity bit 1, stop bit none. Turn on the router power, shut down after startup, reboot after 5 S, and hold down the Space key for 12 s until the router is started, and then change the default value of the Super Terminal bit, the communication baud rate is set to 9600, the data bit is 8, the parity bit is 1, and the stop bit is 1. After the connection is reconnected, you can see from the terminal that it is in the ROM status. Note: When the baud rate is 1200, NO content is displayed on the terminal. This method is applicable to vrouters 2500, 2600, And 4500.

8 conclusion

As a layer-3 device, a router is a network device with a high technical level. It involves various protocols and has a wide technical scope. Skillful Use of various routers to timely handle various sudden failures is of great significance for maintaining the normal operation of the network. This article only introduces the password recovery methods of typical Cisco Series routers, but the specific operations for solving similar problems of Cisco Series routers are similar.