cisco 857 password recovery

Discussion in 'Cisco' started by GT, Jun 30, 2009.

  1. GT

    GT Guest

    this is a post re. the recovery of an 857 router during an IOS
    update.

    the system has been previously configured with the 'no service
    password-recovery',

    the IOS image has been removed from flash, prior to upgrade. However
    we are now unable to enter 'rommon' mode to download new ios image in
    the normal manner.

    i have found technotes on this, that seem to indicate that even with
    this enabled, we can do ctrl-break when it loads the IOS image to
    enter rommon.

    however we do not get to this point on account of no ios image, such
    that the router continually recycles.

    the capability of the 'reset' button seems also to have been disabled
    (i can't be sure whether this is on account of the password-recovery
    configuration).

    would be v.glad of the workaround to this - seem this would relate to
    a reset somehow of the config-register to its factory default. Thanks
     
    GT, Jun 30, 2009
    #1
    1. Advertising

  2. GT

    bod43 Guest

    On 30 June, 18:45, GT <> wrote:
    > this is a post re. the recovery of an 857 router during an IOS
    > update.
    >
    > the system has been previously configured with the 'no service
    > password-recovery',
    >
    > the IOS image has been removed from flash, prior to upgrade. However
    > we are now unable to enter 'rommon' mode to download new ios image in
    > the normal manner.
    >
    > i have found technotes on this, that seem to indicate that even with
    > this enabled, we can do ctrl-break when it loads the IOS image to
    > enter rommon.
    >
    > however we do not get to this point on account of no ios image, such
    > that the router continually recycles.
    >
    > the capability of the 'reset' button seems also to have been disabled
    > (i can't be sure whether this is on account of the password-recovery
    > configuration).
    >
    > would be v.glad of the workaround to this  - seem this would relate to
    > a reset somehow of the config-register to its factory default. Thanks


    Well according to this document -

    http://www.cisco.com/en/US/products...s_configuration_example09186a00801d8113.shtml

    the router is dead.

    no service password-recovery disables access to
    the rommon prompt. No recovery requiring rommon
    can be accomplished.

    You will need a second router in which to temporarily install
    the flash module. I would imagine that any 850 series router
    will suffice.
     
    bod43, Jun 30, 2009
    #2
    1. Advertising

  3. On Jun 30, 7:37 pm, bod43 <> wrote:
    > On 30 June, 18:45, GT <> wrote:
    >
    >
    >
    >
    >
    > > this is a post re. the recovery of an 857 router during an IOS
    > > update.

    >
    > > the system has been previously configured with the 'no service
    > > password-recovery',

    >
    > > the IOS image has been removed from flash, prior to upgrade. However
    > > we are now unable to enter 'rommon' mode to download new ios image in
    > > the normal manner.

    >
    > > i have found technotes on this, that seem to indicate that even with
    > > this enabled, we can do ctrl-break when it loads the IOS image to
    > > enter rommon.

    >
    > > however we do not get to this point on account of no ios image, such
    > > that the router continually recycles.

    >
    > > the capability of the 'reset' button seems also to have been disabled
    > > (i can't be sure whether this is on account of the password-recovery
    > > configuration).

    >
    > > would be v.glad of the workaround to this  - seem this would relate to
    > > a reset somehow of the config-register to its factory default. Thanks

    >
    > Well according to this document -
    >
    > http://www.cisco.com/en/US/products/hw/routers/ps274/products_configu...
    >
    > the router is dead.
    >
    > no service password-recovery disables access to
    > the rommon prompt. No recovery requiring rommon
    > can be accomplished.
    >
    > You will need a second router in which to temporarily install
    > the flash module. I would imagine that any 850 series router
    > will suffice.- Hide quoted text -
    >
    > - Show quoted text -


    Thanks for note back.

    re flash memory - how does that work ? is the onboard flash removable,
    or do you suggest to add additonal flash memory, somehow causing the
    router to reset ?
     
    Graham Turner, Jun 30, 2009
    #3
  4. GT

    bod43 Guest

    On 30 June, 19:49, Graham Turner <> wrote:
    > On Jun 30, 7:37 pm, bod43 <> wrote:
    >
    >
    >
    > > On 30 June, 18:45, GT <> wrote:

    >
    > > > this is a post re. the recovery of an 857 router during an IOS
    > > > update.

    >
    > > > the system has been previously configured with the 'no service
    > > > password-recovery',

    >
    > > > the IOS image has been removed from flash, prior to upgrade. However
    > > > we are now unable to enter 'rommon' mode to download new ios image in
    > > > the normal manner.

    >
    > > > i have found technotes on this, that seem to indicate that even with
    > > > this enabled, we can do ctrl-break when it loads the IOS image to
    > > > enter rommon.

    >
    > > > however we do not get to this point on account of no ios image, such
    > > > that the router continually recycles.

    >
    > > > the capability of the 'reset' button seems also to have been disabled
    > > > (i can't be sure whether this is on account of the password-recovery
    > > > configuration).

    >
    > > > would be v.glad of the workaround to this  - seem this would relate to
    > > > a reset somehow of the config-register to its factory default. Thanks

    >
    > > Well according to this document -

    >
    > >http://www.cisco.com/en/US/products/hw/routers/ps274/products_configu...

    >
    > > the router is dead.

    >
    > > no service password-recovery disables access to
    > > the rommon prompt. No recovery requiring rommon
    > > can be accomplished.

    >
    > > You will need a second router in which to temporarily install
    > > the flash module. I would imagine that any 850 series router
    > > will suffice.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Thanks for note back.
    >
    > re flash memory - how does that work ? is the onboard flash removable,
    > or do you suggest to add additonal flash memory, somehow causing the
    > router to reset ?


    No, you need a second working router and you will have to
    remove the flash from it and put the flash from the broken
    router into the good one and put an IOS image on the
    'broken' flash.

    The onboard flash is a memory stick. I forget the
    exact technology. SIMM, DIMM thingy. There will
    probably be two, RAM and FLASH. If you have ever
    removed a memory stick from a PC you will have no trouble.

    The FLASH chip contains the software image and maybe
    other files. You can recover an image on to the flash
    by putting it in another router and downloading an image.

    Once you get an image in the router you can then follow
    the instructions on the page previousy pointed at.

    Try this one first -
    "Another method is to reload or boot the router with
    console access"
     
    bod43, Jun 30, 2009
    #4
  5. On Jun 30, 8:12 pm, bod43 <> wrote:
    > On 30 June, 19:49, Graham Turner <> wrote:
    >
    >
    >
    >
    >
    > > On Jun 30, 7:37 pm, bod43 <> wrote:

    >
    > > > On 30 June, 18:45, GT <> wrote:

    >
    > > > > this is a post re. the recovery of an 857 router during an IOS
    > > > > update.

    >
    > > > > the system has been previously configured with the 'no service
    > > > > password-recovery',

    >
    > > > > the IOS image has been removed from flash, prior to upgrade. However
    > > > > we are now unable to enter 'rommon' mode to download new ios image in
    > > > > the normal manner.

    >
    > > > > i have found technotes on this, that seem to indicate that even with
    > > > > this enabled, we can do ctrl-break when it loads the IOS image to
    > > > > enter rommon.

    >
    > > > > however we do not get to this point on account of no ios image, such
    > > > > that the router continually recycles.

    >
    > > > > the capability of the 'reset' button seems also to have been disabled
    > > > > (i can't be sure whether this is on account of the password-recovery
    > > > > configuration).

    >
    > > > > would be v.glad of the workaround to this  - seem this would relate to
    > > > > a reset somehow of the config-register to its factory default. Thanks

    >
    > > > Well according to this document -

    >
    > > >http://www.cisco.com/en/US/products/hw/routers/ps274/products_configu....

    >
    > > > the router is dead.

    >
    > > > no service password-recovery disables access to
    > > > the rommon prompt. No recovery requiring rommon
    > > > can be accomplished.

    >
    > > > You will need a second router in which to temporarily install
    > > > the flash module. I would imagine that any 850 series router
    > > > will suffice.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > Thanks for note back.

    >
    > > re flash memory - how does that work ? is the onboard flash removable,
    > > or do you suggest to add additonal flash memory, somehow causing the
    > > router to reset ?

    >
    > No, you need a second working router and you will have to
    > remove the flash from it and put the flash from the broken
    > router into the good one and put an IOS image on the
    > 'broken' flash.
    >
    > The onboard flash is a memory stick. I forget the
    > exact technology. SIMM, DIMM thingy. There will
    > probably be two, RAM and FLASH. If you have ever
    > removed a memory stick from a PC you will have no trouble.
    >
    > The FLASH chip contains the software image and maybe
    > other files. You can recover an image on to the flash
    > by putting it in another router and downloading an image.
    >
    > Once you get an image in the router you can then follow
    > the instructions on the page previousy pointed at.
    >
    > Try this one first -
    > "Another method is to reload or boot the router with
    > console access"- Hide quoted text -
    >
    > - Show quoted text -


    Thanks further note back. not sure if i am being daft, but does not
    appear to be any removable mem modules on the 857 we have.

    there are 3 empty 'slots' - one DIMM like, and two slots of the types
    that i have installed vpn modules in - dont know if that makes sense ?

    Although we have been remiss in removing the flash contents with the
    'service password recovery disabled' i can't believe that there is not
    some hardware reset, presumably if we could get back to the default
    config-register that does not have the bit set that disables 'break' ?
     
    Graham Turner, Jun 30, 2009
    #5
  6. Graham Turner <> writes:
    >Thanks further note back. not sure if i am being daft, but does not
    >appear to be any removable mem modules on the 857 we have.


    >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    >that i have installed vpn modules in - dont know if that makes sense ?



    The 857 doesn't have removable Flash like most other Cisco routers
    (including the 877 which does).

    Since the flash is soldered onto the board, you can't do the trick
    around it that he was trying to explain.


    >Although we have been remiss in removing the flash contents with the
    >'service password recovery disabled' i can't believe that there is not
    >some hardware reset, presumably if we could get back to the default
    >config-register that does not have the bit set that disables 'break' ?


    The point of the 'no service password recovery' was to lock the box
    out of all physical attacks for service providers that wanted to make
    sure their subscribers couldn't get back in and do their own configs.

    Its even half-way tame now-a-days compared to what it was when it was
    a fully undocumented command, where you didn't have any config-erase
    type option that loading the IOS gives you now.

    But, sorry to say, the only way out of this would be to in-circuit
    reprogram the flash chip where the NVRAM/config is stored if that is
    even possible.

    Or put Smartnet on it, and have it advanced replaced by Cisco TAC.
    Probably won't be the first time they've had to.
     
    Doug McIntyre, Jun 30, 2009
    #6
  7. On Jun 30, 10:06 pm, Doug McIntyre <> wrote:
    > Graham Turner <> writes:
    > >Thanks further note back. not sure if i am being daft, but does not
    > >appear to be any removable mem modules on the 857 we have.
    > >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    > >that i have installed vpn modules in - dont know if that makes sense ?

    >
    > The 857 doesn't have removable Flash like most other Cisco routers
    > (including the 877 which does).
    >
    > Since the flash is soldered onto the board, you can't do the trick
    > around it that he was trying to explain.
    >
    > >Although we have been remiss in removing the flash contents with the
    > >'service password recovery disabled' i can't believe that there is not
    > >some hardware reset, presumably if we could get back to the default
    > >config-register that does not have the bit set that disables 'break' ?

    >
    > The point of the 'no service password recovery' was to lock the box
    > out of all physical attacks for service providers that wanted to make
    > sure their subscribers couldn't get back in and do their own configs.
    >
    > Its even half-way tame now-a-days compared to what it was when it was
    > a fully undocumented command, where you didn't have any config-erase
    > type option that loading the IOS gives you now.
    >
    > But, sorry to say, the only way out of this would be to in-circuit
    > reprogram the flash chip where the NVRAM/config is stored if that is
    > even possible.
    >
    > Or put Smartnet on it, and have it advanced replaced by Cisco TAC.
    > Probably won't be the first time they've had to.


    Doug, thanks for note back.

    do i have it right then that the 'no service password-recovery'
    disables the capability of the hardware reset button ?

    we are not interested in anything on the router,
     
    Graham Turner, Jul 1, 2009
    #7
  8. GT

    bod43 Guest

    On 30 June, 22:06, Doug McIntyre <> wrote:
    > Graham Turner <> writes:
    > >Thanks further note back. not sure if i am being daft, but does not
    > >appear to be any removable mem modules on the 857 we have.
    > >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    > >that i have installed vpn modules in - dont know if that makes sense ?

    >
    > The 857 doesn't have removable Flash like most other Cisco routers
    > (including the 877 which does).


    Sorry. I had the idea that the 877 was removable but I
    did not know about the 850. We mostly used 870's.

    It's not like cisco to have something which cannot be recovered.
    Very, very unusual.

    I am not sure what the slots are for but I would guess
    extra RAM and Flash.

    http://www.cisco.com/en/US/docs/routers/access/800/hardware/notes/800upgrd.html

    Cisco 851 and 857 routers
    Flash Memory Card Options 4 MB, 16 MB, or 32 MB
    Default Flash Memory 20 MB (onboard flash memory only)
    Maximum Flash Memory 20 MB

    This seems ODD.
    Default + Option = Max (which is Default)

    There are no flash memory part numbers listed for the 85x.

    Thing is that it is important to remember the purpose
    of no service-pass. It is to *ensure* that cryptographic
    keys cannot be recovered from the router. It is going
    to be tough to work round.

    As suggested, get it on smartnet and let cisco deal with it.
    Or get another one on ebay?
     
    bod43, Jul 1, 2009
    #8
  9. On Jul 1, 8:10 am, bod43 <> wrote:
    > On 30 June, 22:06, Doug McIntyre <> wrote:
    >
    > > Graham Turner <> writes:
    > > >Thanks further note back. not sure if i am being daft, but does not
    > > >appear to be any removable mem modules on the 857 we have.
    > > >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    > > >that i have installed vpn modules in - dont know if that makes sense ?

    >
    > > The 857 doesn't have removable Flash like most other Cisco routers
    > > (including the 877 which does).

    >
    > Sorry. I had the idea that the 877 was removable but I
    > did not know about the 850. We mostly used 870's.
    >
    > It's not like cisco to have something which cannot be recovered.
    > Very, very unusual.
    >
    > I am not sure what the slots are for but I would guess
    > extra RAM and Flash.
    >
    > http://www.cisco.com/en/US/docs/routers/access/800/hardware/notes/800...
    >
    > Cisco 851 and 857 routers
    > Flash Memory Card Options 4 MB, 16 MB, or 32 MB
    > Default Flash Memory 20 MB (onboard flash memory only)
    > Maximum Flash Memory 20 MB
    >
    > This seems ODD.
    > Default + Option = Max (which is Default)
    >
    > There are no flash memory part numbers listed for the 85x.
    >
    > Thing is that it is important to remember the purpose
    > of no service-pass. It is to *ensure* that cryptographic
    > keys cannot be recovered from the router. It is going
    > to be tough to work round.
    >
    > As suggested, get it on smartnet and let cisco deal with it.
    > Or get another one on ebay?


    i am totally happy with the purpose of the 'service-pass' to prevent
    recovery of passwords, but this is not what we want to do

    do i have it right though that this disables the hardware reset
    button, which seems to be ignored by the router ?
     
    Graham Turner, Jul 1, 2009
    #9
  10. GT

    bod43 Guest

    On 1 July, 08:21, Graham Turner <> wrote:
    > On Jul 1, 8:10 am, bod43 <> wrote:
    >
    >
    >
    > > On 30 June, 22:06, Doug McIntyre <> wrote:

    >
    > > > Graham Turner <> writes:
    > > > >Thanks further note back. not sure if i am being daft, but does not
    > > > >appear to be any removable mem modules on the 857 we have.
    > > > >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    > > > >that i have installed vpn modules in - dont know if that makes sense ?

    >
    > > > The 857 doesn't have removable Flash like most other Cisco routers
    > > > (including the 877 which does).

    >
    > > Sorry. I had the idea that the 877 was removable but I
    > > did not know about the 850. We mostly used 870's.

    >
    > > It's not like cisco to have something which cannot be recovered.
    > > Very, very unusual.

    >
    > > I am not sure what the slots are for but I would guess
    > > extra RAM and Flash.

    >
    > >http://www.cisco.com/en/US/docs/routers/access/800/hardware/notes/800...

    >
    > > Cisco 851 and 857 routers
    > > Flash Memory Card Options 4 MB, 16 MB, or 32 MB
    > > Default Flash Memory 20 MB (onboard flash memory only)
    > > Maximum Flash Memory 20 MB

    >
    > > This seems ODD.
    > > Default + Option = Max (which is Default)

    >
    > > There are no flash memory part numbers listed for the 85x.

    >
    > > Thing is that it is important to remember the purpose
    > > of no service-pass. It is to *ensure* that cryptographic
    > > keys cannot be recovered from the router. It is going
    > > to be tough to work round.

    >
    > > As suggested, get it on smartnet and let cisco deal with it.
    > > Or get another one on ebay?

    >
    > i am totally happy with the purpose of the 'service-pass' to prevent
    > recovery of passwords, but this is not what we want to do
    >
    > do i have it right though that this disables the hardware reset
    > button, which seems to be ignored by the router ?


    I think the button only does a cold boot reset - like on a PC.
    I know that some other network kit does a factory reset
    but cisco does not as far as I am aware.
    I have never used it.

    Have you tried sending a break in the first 5 seconds after power on?

    Firstly make SURE you are sending a break - ideally test on
    another router.

    I suggest then (if using hyperterminal and not using a
    USB serial port adapter that does not send break)
    press the <CTRL> key
    power on the router
    immediately begin pressing the break key every two seconds
    do not hammer away at it
    do this for at least ten seconds

    Power off and try again every second.

    Some USB serial port adapters do not send break signal
    Some versions of hyperterminal do not send a break signal.
    Various different terminal emulators use different keys
    Macintoshes apparently do not send breaks (but there
    is a workaround - set very slow baud rate and press some
    certain key or other)

    Why not try for longer too?
     
    bod43, Jul 1, 2009
    #10
  11. On Jul 1, 9:28 am, bod43 <> wrote:
    > On 1 July, 08:21, Graham Turner <> wrote:
    >
    >
    >
    >
    >
    > > On Jul 1, 8:10 am, bod43 <> wrote:

    >
    > > > On 30 June, 22:06, Doug McIntyre <> wrote:

    >
    > > > > Graham Turner <> writes:
    > > > > >Thanks further note back. not sure if i am being daft, but does not
    > > > > >appear to be any removable mem modules on the 857 we have.
    > > > > >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    > > > > >that i have installed vpn modules in - dont know if that makes sense ?

    >
    > > > > The 857 doesn't have removable Flash like most other Cisco routers
    > > > > (including the 877 which does).

    >
    > > > Sorry. I had the idea that the 877 was removable but I
    > > > did not know about the 850. We mostly used 870's.

    >
    > > > It's not like cisco to have something which cannot be recovered.
    > > > Very, very unusual.

    >
    > > > I am not sure what the slots are for but I would guess
    > > > extra RAM and Flash.

    >
    > > >http://www.cisco.com/en/US/docs/routers/access/800/hardware/notes/800....

    >
    > > > Cisco 851 and 857 routers
    > > > Flash Memory Card Options 4 MB, 16 MB, or 32 MB
    > > > Default Flash Memory 20 MB (onboard flash memory only)
    > > > Maximum Flash Memory 20 MB

    >
    > > > This seems ODD.
    > > > Default + Option = Max (which is Default)

    >
    > > > There are no flash memory part numbers listed for the 85x.

    >
    > > > Thing is that it is important to remember the purpose
    > > > of no service-pass. It is to *ensure* that cryptographic
    > > > keys cannot be recovered from the router. It is going
    > > > to be tough to work round.

    >
    > > > As suggested, get it on smartnet and let cisco deal with it.
    > > > Or get another one on ebay?

    >
    > > i am totally happy with the purpose of the 'service-pass' to prevent
    > > recovery of passwords, but this is not what we want to do

    >
    > > do i have it right though that this disables the hardware reset
    > > button, which seems to be ignored by the router ?

    >
    > I think the button only does a cold boot reset - like on a PC.
    > I know that some other network kit does a factory reset
    > but cisco does not as far as I am aware.
    > I have never used it.
    >
    > Have you tried sending a break in the first 5 seconds after power on?
    >
    > Firstly make SURE you are sending a break - ideally test on
    > another router.
    >
    > I suggest then (if using hyperterminal and not using a
    > USB serial port adapter that does not send break)
    > press the <CTRL> key
    > power on the router
    > immediately begin pressing the break key every two seconds
    > do not hammer away at it
    > do this for at least ten seconds
    >
    > Power off and try again every second.
    >
    > Some USB serial port adapters do not send break signal
    > Some versions of hyperterminal do not send a break signal.
    > Various different terminal emulators use different keys
    > Macintoshes apparently do not send breaks (but there
    > is a workaround - set very slow baud rate and press some
    > certain key or other)
    >
    > Why not try for longer too?- Hide quoted text -
    >
    > - Show quoted text -


    I am sure that we are sending the break to the router - have tested
    same sequence on a functional 857.

    what i suspect is that the 'no service password-recovery' has done has
    manipulated the config-register so as to perhaps disable the break ?
    or perhaps access to the rommon completely ?

    Thanks again for notes back
     
    Graham Turner, Jul 1, 2009
    #11
  12. GT

    bod43 Guest

    On 1 July, 10:04, Graham Turner <> wrote:
    > On Jul 1, 9:28 am, bod43 <> wrote:
    >
    >
    >
    > > On 1 July, 08:21, Graham Turner <> wrote:

    >
    > > > On Jul 1, 8:10 am, bod43 <> wrote:

    >
    > > > > On 30 June, 22:06, Doug McIntyre <> wrote:

    >
    > > > > > Graham Turner <> writes:
    > > > > > >Thanks further note back. not sure if i am being daft, but does not
    > > > > > >appear to be any removable mem modules on the 857 we have.
    > > > > > >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    > > > > > >that i have installed vpn modules in - dont know if that makes sense ?

    >
    > > > > > The 857 doesn't have removable Flash like most other Cisco routers
    > > > > > (including the 877 which does).

    >
    > > > > Sorry. I had the idea that the 877 was removable but I
    > > > > did not know about the 850. We mostly used 870's.

    >
    > > > > It's not like cisco to have something which cannot be recovered.
    > > > > Very, very unusual.

    >
    > > > > I am not sure what the slots are for but I would guess
    > > > > extra RAM and Flash.

    >
    > > > >http://www.cisco.com/en/US/docs/routers/access/800/hardware/notes/800...

    >
    > > > > Cisco 851 and 857 routers
    > > > > Flash Memory Card Options 4 MB, 16 MB, or 32 MB
    > > > > Default Flash Memory 20 MB (onboard flash memory only)
    > > > > Maximum Flash Memory 20 MB

    >
    > > > > This seems ODD.
    > > > > Default + Option = Max (which is Default)

    >
    > > > > There are no flash memory part numbers listed for the 85x.

    >
    > > > > Thing is that it is important to remember the purpose
    > > > > of no service-pass. It is to *ensure* that cryptographic
    > > > > keys cannot be recovered from the router. It is going
    > > > > to be tough to work round.

    >
    > > > > As suggested, get it on smartnet and let cisco deal with it.
    > > > > Or get another one on ebay?

    >
    > > > i am totally happy with the purpose of the 'service-pass' to prevent
    > > > recovery of passwords, but this is not what we want to do

    >
    > > > do i have it right though that this disables the hardware reset
    > > > button, which seems to be ignored by the router ?

    >
    > > I think the button only does a cold boot reset - like on a PC.
    > > I know that some other network kit does a factory reset
    > > but cisco does not as far as I am aware.
    > > I have never used it.

    >
    > > Have you tried sending a break in the first 5 seconds after power on?

    >
    > > Firstly make SURE you are sending a break - ideally test on
    > > another router.

    >
    > > I suggest then (if using hyperterminal and not using a
    > > USB serial port adapter that does not send break)
    > > press the <CTRL> key
    > > power on the router
    > > immediately begin pressing the break key every two seconds
    > > do not hammer away at it
    > > do this for at least ten seconds

    >
    > > Power off and try again every second.

    >
    > > Some USB serial port adapters do not send break signal
    > > Some versions of hyperterminal do not send a break signal.
    > > Various different terminal emulators use different keys
    > > Macintoshes apparently do not send breaks (but there
    > > is a workaround - set very slow baud rate and press some
    > > certain key or other)

    >
    > > Why not try for longer too?- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I am sure that we are sending the break to the router - have tested
    > same sequence on a functional 857.
    >
    > what i suspect is that the 'no service password-recovery' has done has
    > manipulated the config-register so as to perhaps disable the break ?
    > or perhaps access to the rommon completely ?
    >
    > Thanks again for notes back


    My frail understanding is that no service password-rec
    disables access to the rommon.

    It seems that once IOS starts there is a short period
    where the serial port is monitored for a break signal
    which permits entry to the recovery menu which has
    the option of clearing the config.

    So with no IOS and no reasonable way to get one on board
    you seem to be stuffed.

    De-soldering and re-soldering these chips is quite possible
    for suitably skilled people but on a commercial basis for
    sure not worth it. Especially if you were to consider
    dismantling a good router as well!!!

    I think they use a hot air gun to heat the board and release/
    re-attach the chip. Trick might be to make sure that not too
    much falls off.

    Still, now you have had a course on cisco boot process.
    Most of the routers/switches are very similar.
     
    bod43, Jul 1, 2009
    #12
  13. GT

    Uli Link Guest

    Graham Turner schrieb:

    > what i suspect is that the 'no service password-recovery' has done has
    > manipulated the config-register so as to perhaps disable the break ?
    > or perhaps access to the rommon completely ?


    That's what the docs say about this feature.
    You can recover by completly erasing the config by sending the break
    sequence in the first 5 seconds after the [ok] appears after the image
    is decompressed. But you'll need an working IOS image on the device (or
    configured TFTP boot a backup image before). Without a decompressed
    ready to run IOS in RAM there is no (documented or known) way into the
    box. Smartnet -> RMA.

    --
    ULi
     
    Uli Link, Jul 1, 2009
    #13
  14. On Jul 1, 11:14 am, bod43 <> wrote:
    > On 1 July, 10:04, Graham Turner <> wrote:
    >
    >
    >
    >
    >
    > > On Jul 1, 9:28 am, bod43 <> wrote:

    >
    > > > On 1 July, 08:21, Graham Turner <> wrote:

    >
    > > > > On Jul 1, 8:10 am, bod43 <> wrote:

    >
    > > > > > On 30 June, 22:06, Doug McIntyre <> wrote:

    >
    > > > > > > Graham Turner <> writes:
    > > > > > > >Thanks further note back. not sure if i am being daft, but does not
    > > > > > > >appear to be any removable mem modules on the 857 we have.
    > > > > > > >there are 3 empty 'slots' - one DIMM like, and two slots of the types
    > > > > > > >that i have installed vpn modules in - dont know if that makes sense ?

    >
    > > > > > > The 857 doesn't have removable Flash like most other Cisco routers
    > > > > > > (including the 877 which does).

    >
    > > > > > Sorry. I had the idea that the 877 was removable but I
    > > > > > did not know about the 850. We mostly used 870's.

    >
    > > > > > It's not like cisco to have something which cannot be recovered.
    > > > > > Very, very unusual.

    >
    > > > > > I am not sure what the slots are for but I would guess
    > > > > > extra RAM and Flash.

    >
    > > > > >http://www.cisco.com/en/US/docs/routers/access/800/hardware/notes/800...

    >
    > > > > > Cisco 851 and 857 routers
    > > > > > Flash Memory Card Options 4 MB, 16 MB, or 32 MB
    > > > > > Default Flash Memory 20 MB (onboard flash memory only)
    > > > > > Maximum Flash Memory 20 MB

    >
    > > > > > This seems ODD.
    > > > > > Default + Option = Max (which is Default)

    >
    > > > > > There are no flash memory part numbers listed for the 85x.

    >
    > > > > > Thing is that it is important to remember the purpose
    > > > > > of no service-pass. It is to *ensure* that cryptographic
    > > > > > keys cannot be recovered from the router. It is going
    > > > > > to be tough to work round.

    >
    > > > > > As suggested, get it on smartnet and let cisco deal with it.
    > > > > > Or get another one on ebay?

    >
    > > > > i am totally happy with the purpose of the 'service-pass' to prevent
    > > > > recovery of passwords, but this is not what we want to do

    >
    > > > > do i have it right though that this disables the hardware reset
    > > > > button, which seems to be ignored by the router ?

    >
    > > > I think the button only does a cold boot reset - like on a PC.
    > > > I know that some other network kit does a factory reset
    > > > but cisco does not as far as I am aware.
    > > > I have never used it.

    >
    > > > Have you tried sending a break in the first 5 seconds after power on?

    >
    > > > Firstly make SURE you are sending a break - ideally test on
    > > > another router.

    >
    > > > I suggest then (if using hyperterminal and not using a
    > > > USB serial port adapter that does not send break)
    > > > press the <CTRL> key
    > > > power on the router
    > > > immediately begin pressing the break key every two seconds
    > > > do not hammer away at it
    > > > do this for at least ten seconds

    >
    > > > Power off and try again every second.

    >
    > > > Some USB serial port adapters do not send break signal
    > > > Some versions of hyperterminal do not send a break signal.
    > > > Various different terminal emulators use different keys
    > > > Macintoshes apparently do not send breaks (but there
    > > > is a workaround - set very slow baud rate and press some
    > > > certain key or other)

    >
    > > > Why not try for longer too?- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > I am sure that we are sending the break to the router - have tested
    > > same sequence on a functional 857.

    >
    > > what i suspect is that the 'no service password-recovery' has done has
    > > manipulated the config-register so as to perhaps disable the break ?
    > > or perhaps access to the rommon completely ?

    >
    > > Thanks again for notes back

    >
    > My frail understanding is that no service password-rec
    > disables access to the rommon.
    >
    > It seems that once IOS starts there is a short period
    > where the serial port is monitored for a break signal
    > which permits entry to the recovery menu which has
    > the option of clearing the config.
    >
    > So with no IOS and no reasonable way to get one on board
    > you seem to be stuffed.
    >
    > De-soldering and re-soldering these chips is quite possible
    > for suitably skilled people but on a commercial basis for
    > sure not worth it. Especially if you were to consider
    > dismantling a good router as well!!!
    >
    > I think they use a hot air gun to heat the board and release/
    > re-attach the chip. Trick might be to make sure that not too
    > much falls off.
    >
    > Still, now you have had a course on cisco boot process.
    > Most of the routers/switches are very similar.- Hide quoted text -
    >
    > - Show quoted text -


    Indeed - one which we will no doubt look back on and smile - thanks
    for your advices on this
     
    Graham Turner, Jul 1, 2009
    #14
  15. GT

    Dan Lanciani Guest

    In article <>, (bod43) writes:

    | De-soldering and re-soldering these chips is quite possible
    | for suitably skilled people but on a commercial basis for
    | sure not worth it. Especially if you were to consider
    | dismantling a good router as well!!!

    You can usually get around this kind of thing without unsoldering (or
    at least without fully unsoldering) anything by convincing the box that
    the saved configuration is corrupt. I don't know what the 857 uses for
    configuration storage but NVRAM, eeprom, and flash parameter blocks are
    common. If the architecture isolates the various busses you can often
    simply ground an address line on the memory device to confuse the box
    into thinking the configuration is bogus. This is most tricky on flash
    devices where the boot block is also being used to, well, boot... It
    helps to get the data sheet for the flash device to see the sector
    architecture which will in turn allow you to select good candidate
    address lines. If the busses are not isolated you may need to lift a
    pin, but don't ignore the possibility of glitching a chip enable pin
    to take the whole device out of memory space at the right time.

    Dan Lanciani
    ddl@danlan.*com
     
    Dan Lanciani, Jul 1, 2009
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. news.xtra.co.nz

    cisco 857 - Dot11Radio setup for wpa-psk

    news.xtra.co.nz, Dec 1, 2005, in forum: Cisco
    Replies:
    0
    Views:
    1,936
    news.xtra.co.nz
    Dec 1, 2005
  2. Jim Rorrison

    Cisco 857 unable to connect to ADSL

    Jim Rorrison, Feb 6, 2006, in forum: Cisco
    Replies:
    7
    Views:
    9,948
    looploop
    Dec 27, 2007
  3. Digital Image Recovery
    Replies:
    1
    Views:
    1,339
  4. Digital Image Recovery

    Digital Image Recovery and Memory Stick Recovery; Recovery of Lost Photos

    Digital Image Recovery, Sep 10, 2004, in forum: Digital Photography
    Replies:
    0
    Views:
    1,191
    Digital Image Recovery
    Sep 10, 2004
  5. Replies:
    1
    Views:
    6,760
    flamer
    Apr 29, 2008
Loading...

Share This Page