Password recovery on a Cisco 1600

While cleaning up my mess here, I found an old Cisco device, an old 1600 series router which I wanted to inspect before considering to throw it away. After some network magic I found the old IP I used but didn’t get over the password prompt to sneak around in the configs. My mood dropped instantly as I did forget it – until I remembered my USB to serial adapter.

To connect the serial cable I switched the router off and did my setup as follows:

9600 baud
No parity
8 data bits
1 stop bit
No flow control

Knowing Cisco stuff I remember that those devices have a bootloader which kicks off the operating system. If you send a “break” sequence while bootup you gain access to some nice functionality like changing the configuration it boots off. and that’s how it looks like:

*** System received an abort due to Break Key ***

signal= 0x3, code= 0x500, context= 0x813ac158
PC = 0x802d0b60, Vector = 0x500, SP = 0x80006030
rommon 1 > _

As I am now seeing a shell I can try to type my first command “confreg 0x2142”. After a second one, named “reset” a shell hails me:

8192K bytes of processor board System flash partition 1 (Read/Write)
8192K bytes of processor board System flash partition 2 (Read/Write)

 --- System Configuration Dialog ---

Would you like to enter the initial configuration dialog? [yes/no]: n

Press RETURN to get started!

Honestly, that was the worst part. Without a password I am now able to get into the administration mode using the command “enable”. As I am interested in the previous configuration on the device I can copy it from the memory. That’s how it is done:

Router#copy startup-config running-config
Destination filename [running-config]?
1324 bytes copied in 2.35 secs (662 bytes/sec)

In theory we are ready to sneak around, but I have to admit, if things break, I don’t want to fiddle around with the password anymore, so I overwrote it, changing the ‘enable secret’:

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable secret < password >

Now we are really ready. Our configuration rests in memory only, so we need to copy it back using: copy running-config startup-config

Last but not least we need to tell the device to boot from the old config again – which is done using “config-register 0x2102”. Then we are done, ready for all further resets and games.


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.