cisco hands-on experience

Cisco Password Recovery

All Cisco routers have a 16-bit software register, which is written into NVRAM. By default, the configuration register is set to load the Cisco IOS from flash memory and to look for and load the startup-config file from NVRAM.

By changing the configuration register, you can perform cisco password recovery on a Cisco router.

If you are locked out of a router because you forgot the password, you can change the configuration register to help you recover. Bit 6 in the configuration register is used to tell the router whether or not to use the contents of NVRAM to load a router configuration. The default configuration register value for bit 6 is 0×2102 (the 0 is bit 6), which means that bit 6 is off. With the default setting, the router will look for and load a router configuration stored in NVRAM (startup-config). To recover a password, you need to turn on bit 6, which will tell the router to ignore the NVRAM contents. The configuration register value to turn on bit 6 is 0×2142.

1. You can see the current value of the configuration register by using the show version command (sh version or show ver for short), as in the following example on a router.

The following router is used for this example

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T6, RELEASE SOFTWARE (fc2)

show version
RT_Mui_RB uptime is 2 minutes
System returned to ROM by reload at 18:19:15 Berlin Mon Sep 16 2002
System image file is “flash:c870-advipservicesk9-mz.124-15.T6.bin”
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

Cisco 871 (MPC8272) processor (revision 0×200) with 98304K/32768K bytes of memory.
Processor board ID FHK121623J5
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0×10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
28672K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0×2102

2. The last information given from this command is the value of the configuration register. In this example, the value is 0×2102, which is the default setting.

When the router is rebooting, press and hold ctrl+break on the keyboard, until it takes you into rom monitor mode.
System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
Technical Support:
Copyright (c) 2006 by cisco Systems, Inc.

C870 series (Board ID: 3-148) platform with 131072 Kbytes of main memory

rommon 1 > confreg 0×2142

You must reset or power cycle for new config to take effect
rommon 2 > reset

3. When the router reloads, say no to entering setup mode.

4. Enter privileged mode and then type copy startup-config running-config.

5. Change your passwords and/or username then save your configuration with the copy run start command.

5. Change your configuration register back to 0×2102.

back to 0×2102
RT_Mui_RB(config)#config-register 0×2102

  1. Lothar Beckstein Reply

    you can also send a “break” via telnet:
    telnet> send brk

    rommon 1 > confreg 0×2142

    rommon 2 > reset

    (Bootsequence starts)

    Would you like to enter the initial configuration dialog? [yes/no]: n

    Router> en

    Router# erase startup-config

    Router# conf terminal

    Router(config)# config-register 0×2102

    Router(config)# end

    Router# reload

    System configuration has been modified. Save? [yes/no]: no

    Proceed with reload? [confirm]

    After the second boot-start you can configurate the router new without a pasword

    • George Reply

      very good accessory!

    • Roxana Reply

      The only way that you can get load sharing is to use Link Aggregation Groups. LAG guoprs can only be established between connections that are terminating at both ends on the same network device. For the connections to be on the same device then they must be sold to you by the same service provider. Even if they were from the same provider, they would have to be on a device that provided both T1 and Cable connections.Setting up LAG at one end of a group of connections and not at the other end will cause a large number of problems.When there are two connections the network device will use the connection with the highest data rate. As the Cable connection is the highest data rate that is the one that the router will use. The T1 will only provide 1.544 Mbps of connection. You should be able to look at the statistics on each port from the Cisco 1841 router, to determine if there is any data being sent on the T1 or the Cable connection.

  2. Lisa Reply

    Yup, that’s Cisco alright and I can attset to your experience. Competitive advantage is what it’s all about. Besides, most companies I know don’t bother patching their Cisco gear. We’re lucky if they patch the Internet facing gear. Sure we never hear about these kind of break-ins because the type of people that hack routers aren’t trying to rack up a few points on so they can brag to their friends. He who owns the router is god because they redirect DNS requests and redirect email. If you can redirect email you can easily make requests for digital certificates for putting up fake SSL servers or even get a code signing certificate.

    • George Reply

      very nice – thanks!

  3. DemetraWHeifner Reply

    you’re in reality a good webmaster. The website loading
    velocity is incredible. It kind of feels
    that you are doing any unique trick. Also, The contents are masterwork.
    you’ve done a excellent job in this subject!

Leave a Reply


captcha *