Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813

3 Routers

Table of Contents
Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers .......................1 Document ID: 12732 ................................................................................................................................1 Introduction..........................................................................................................................................................1 Prerequisites.........................................................................................................................................................1 Requirements..........................................................................................................................................1 Conventions............................................................................................................................................1 StepbyStep Procedure ......................................................................................................................................1 Sample Output Example.........................................................................................................................3 Example of Enable Password Recovery.................................................................................................5 Example of Password Replacement........................................................................................................6 Related Information.............................................................................................................................................7

Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers
Document ID: 12732
Introduction Prerequisites Requirements Conventions StepbyStep Procedure Sample Output Example Example of Enable Password Recovery Example of Password Replacement Related Information

Introduction
This document describes the procedure for recovering an enable password or replacing enablesecret passwords on Cisco 801, 802, 803, 804, 805, 811, and 813 Series Routers. These passwords are used to protect access to privileged EXEC and configuration modes. The enable password can be recovered because it is displayed in plain text in the configutaion file. The enablesecret password is encrypted in the configuration file and therefore can only be replaced with a new password.

Prerequisites
Requirements
There are no specific requirements for this document.

Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.

StepbyStep Procedure
Use the following procedure to perform password recovery on the 8xx Series Routers. You may encounter booting problems with the Cisco 801, 802, 803, 804, 805, 811 and 813 Series Routers. Cisco 801805, 811, and 813 routers boot into TinyROM at powerup or after saving any configuration from the console port using Cisco IOS Software Release 12.1(3) and later. For details of the affected unit serial number and the procedure to solve the booting problem, see Field Notice: Cisco 801805 and Cisco 811 and 813 Boots into TinyROM. Note: To recover a password on Cisco 806, 826, 827, 828, 831, or 837 Series Routers, refer to Password Recovery Procedure for the Cisco 806, 827, and 837 Series Routers. 1. Attach a terminal or PC with terminal emulation to the console port of the router. Use the following terminal settings: Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers

9600 baud rate No parity 8 data bits 1 stop bit

The required console cable specifications are described in Cabling Guide for Console and AUX Ports. 2. Use the power switch to turn the router off and then turn it back on. 3. Press Break on the terminal keyboard within 60 seconds of the powerup to put the router into ROMMON. If the break sequence doesn't work, see Possible Key Combinations for Break Sequence During Password Recovery for other key combinations. 4. Type set at the boot# prompt and record the current value of the configuration register (set by the "iosconf" variable):
boot# set set baud set databits set parity set stopbits set consoleflags set macaddress set unitip set servip set netmask set gateip set pkttimeout set tftptimeout set bootaction set filename set watchdog set prompt set iosconf =9600 =8 =none =1 =0 =0050.7307.C329 =10.200.40.65 =255.255.255.255 =255.255.252.0 =10.200.40.1 =8 =16 =flash ="c800nsy6mw.12210b.bin" =off ="boot" =0x2102

! This is the value to record

5. Type set iosconf = 142 at the boot# prompt. If Flash is intact, the best setting is 142. If the Flash is not installed or is erased, use the 141 setting. Note: With this setting, you can view or erase the configuration, but you cannot change the password. 6. Type boot at the boot# prompt to initialize the router. The router reboots but ignores its saved configuration. 7. Type no after each setup question or press CtrlC to skip the initial setup procedure. 8. Type enable at the Router> prompt. You'll be in enable mode and see the Router# prompt. 9. Important: Type config mem or copy start running to copy the nonvolatile RAM (NVRAM) into memory. Do not type config term or copy running start. 10. Type write terminal or show running. The show running and write terminal commands show the configuration of the router. In this configuration, you see under all the interfaces the shutdown command, which means all interfaces are currently shutdown. Also, you can see the passwords either in encrypted or unencrypted format. Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers

11. Type config term and make the changes. The prompt is now hostname(config)#. 12. Type enable secret <password>. 13. Issue the no shutdown command on every interface that is used. If you issue a show ip interface brief command, every interface that you want to use should be "up up". 14. Type configregister 0x2102 , or the value you recorded in step 4. 15. Press Ctrlz to leave the configuration mode. The prompt is now hostname#. 16. Type write mem or copy running startup to commit the changes. 17. Type reload. Once the router reloads, the configuration register value changes from 0x142 to 0x2102.

Sample Output Example

The sample output shown here is the result of the password recovery procedure on a Cisco 803. Even if you are not using a Cisco 803 router, this example is almost exactly what you should experience on your product.
Router>show version Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800NSY6MW), Version 12.2(10b), RELEASE SOFTWARE (fc1) Copyright (c) 19862002 by cisco Systems, Inc. Compiled Thu 11Jul02 19:53 by pwade Image textbase: 0x000F2000, database: 0x0086C000 ROM: TinyROM version 1.0(3) leased uptime is 1 minute System returned to ROM by poweron System image file is "flash:c800nsy6mw.12210b.bin" Cisco C803 (MPC850) processor (revision 1) with 52940K bytes of virtual memory. Processor board ID JAD03325506 (2953252) CPU part number 0x2100 X.25 software, Version 3.0.0. Bridging software. Basic Rate ISDN software, Version 1.1. 2 POTS Ports 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 12M bytes of physical memory (DRAM) 8K bytes of nonvolatile configuration memory 12M bytes of flash on board (8M from flash card) Configuration register is 0x2102 ! The router was just powercycled and during bootup a ! break sequence was sent to the router.

TinyROM version 1.0(3) Fri Apr 30 18:22:12 1999 Copyright (c) 19981999 by cisco Systems, Inc. All rights reserved. POST ......... OK. 12MB DRAM, 8MB Flash. boot# set set baud =9600 set databits =8 set parity =none

Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers

set set set set set set set set set set set set set set

stopbits consoleflags macaddress unitip servip netmask gateip pkttimeout tftptimeout bootaction filename watchdog prompt iosconf

=1 =0 =0050.7307.C329 =10.200.40.65 =255.255.255.255 =255.255.252.0 =10.200.40.1 =8 =16 =flash ="c800nsy6mw.12210b.bin" =off ="boot" =0x2102

boot# set iosconf = 142 !You can use 0x142 or 0x2142 boot# boot Booting "c800nsy6mw.12210b.bin"..., Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software Restricted Rights clause at FAR sec. 52.22719 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.2277013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 951341706 Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800Y6MW), Version 12.2(10b), RELEASE SOFTWARE (fc1) Copyright (c) 19862002 by cisco Systems, Inc. Compiled Thu 11Jul02 19:53 by pwade Image textbase: 0x000F2000, database: 0x0086C000 Cisco C803 (MPC850) processor (revision 1) with 52940K bytes of virtual memory. Processor board ID JAD03325506 (2953252) CPU part number 0x2100 X.25 software, Version 3.0.0. Bridging software. Basic Rate ISDN software, Version 1.1. 2 POTS Ports 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 12M bytes of physical memory (DRAM) 8K bytes of nonvolatile configuration memory 12M bytes of flash on board (8M from flash card)

System Configuration Dialog Would you like to enter the initial configuration dialog? [yes/no]: no

Press RETURN to get started! (press Enter) 00:26:02: %SYS5RESTART: System restarted

Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers

Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800NSY6MW), Version 12.2(10b), RELEASE SOFTWARE (fc1) Copyright (c) 19862002 by cisco Systems, Inc. Compiled Thu 11Jul02 19:53 by pwade 00:26:02: %SNMP5COLDSTART: SNMP agent on host Router is undergoing a cold start 00:26:02: %LINK5CHANGED: Interface BRI0, changed state to administratively down 00:26:03: %LINEPROTO5UPDOWN: Line protocol on Interface BRI0, changed state to down 00:26:03: %LINK5CHANGED: Interface Ethernet0, changed state to administratively down 00:26:04: %LINEPROTO5UPDOWN: Line protocol on Interface Ethernet0, changed state to down

Router>enable Router#copy startupconfig runningconfig Destination filename [runningconfig]? (press Enter) % Login disabled % Login disabled % Login disabled % Login disabled % Login disabled 797 bytes copied 00:27:47: 00:27:47: 00:27:48: 00:27:48: on on on on on in line 1, until 'password' is line 2, until 'password' is line 3, until 'password' is line 4, until 'password' is line 5, until 'password' is 2.304 secs (346 bytes/sec) set set set set set

%LINK3UPDOWN: Interface %LINK3UPDOWN: Interface %LINEPROTO5UPDOWN: Line %LINEPROTO5UPDOWN: Line

BRI0:1, changed state BRI0:2, changed state protocol on Interface protocol on Interface

to down to down BRI0:1, changed state to down BRI0:2, changed state to down

Note: After copying the configuration file from NVRAM to RAM, you can either do a Password recovery (if the enable password is configured which will be in plain text format) or Password replacement ( if the enablesecret password is configured which will be in encrypted format) depending on how the password is last configured. To check in which format the password is configured in the router, use the show runningconfig command, and look for enable password or enable secret password in the configuration

Example of Enable Password Recovery

The following show runningconfig output shows that enable password is configured. Password recovery can be done as shown below:
Router#show runningconfig Building configuration... Current configuration : 820 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service passwordencryption ! hostname Router ! boot system flash c800nsy6mw.12210b.bin enable password cisco

! Here the Password is plain clear text. We can either maintain ! the same password or replace with a new password for security reasons. ! Output omitted

Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers

Example of Password Replacement

The following output from a show runningconfig shows that the enable secret password is configured. As a result, password replacement can be performed as shown below:
Router#show runningconfig Building configuration... Current configuration : 835 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service passwordencryption ! hostname Router ! boot system flash c800nsy6mw.12210b.bin enable secret 5 $1$O80N$NjrO/6P5jpi0PZYzAj/vX0

! Password replacement has to be done as the password ! is in encrypted format ! Output omitted

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#enable secret letmein Router(config)# 00:03:39: %SYS5CONFIG_I: Configured from console by console

Once the password recovery or replacement is done, the remaining steps are the same, as shown below:
Router#show ip interface brief Interface IPAddress OK? Method Status Protocol BRI0 unassigned YES TFTP administratively down down BRI0:1 unassigned YES unset administratively down down BRI0:2 unassigned YES unset administratively down down Ethernet0 10.200.40.65 YES TFTP administratively down down Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface ethernet 0 Router(configif)#no shutdown Router(configif)# 00:30:02: %LINK3UPDOWN: Interface Ethernet0, changed state to up 00:30:03: %LINEPROTO5UPDOWN: Line protocol on Interface Ethernet0, changed state to up Router(config)#configreg 0x2102 Router(config)#^Z Router# 00:04:36: %SYS5CONFIG_I: Configured from console by console Router#write memory

By issuing the configreg 0x2102 command, the new configuration register value does not take effect immediately. The new value will be effective only after the router is reloaded. The show version command below shows the current value (0x142) and the value that will be effective after the next reload (0x2102).
Router#show version Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800NSY6MW), Version 12.2(10b), RELEASE SOFTWARE (fc1) Copyright (c) 19862002 by cisco Systems, Inc.

Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers

Compiled Thu 11Jul02 19:53 by pwade Image textbase: 0x000F2000, database: 0x0086C000 ROM: TinyROM version 1.0(3) leased uptime is 7 minutes System returned to ROM by poweron System image file is "flash:c800nsy6mw.12210b.bin" Cisco C803 (MPC850) processor (revision 1) with 52940K bytes of virtual memory. Processor board ID JAD03325506 (2953252) CPU part number 0x2100 X.25 software, Version 3.0.0. Bridging software. Basic Rate ISDN software, Version 1.1. 2 POTS Ports 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 12M bytes of physical memory (DRAM) 8K bytes of nonvolatile configuration memory 12M bytes of flash on board (8M from flash card) Configuration register is 0x142 ! Will be 0x2102 at next reload

After the router reloads, the configuration register value is 0x2102, as shown below:
Router#show version Cisco Internetwork Operating System Software IOS (tm) C800 Software (C800NSY6MW), Version 12.2(10b), RELEASE SOFTWARE (fc1) Copyright (c) 19862002 by cisco Systems, Inc. Compiled Thu 11Jul02 19:53 by pwade Image textbase: 0x000F2000, database: 0x0086C000 ROM: TinyROM version 1.0(3) leased uptime is 0 minutes System returned to ROM by poweron System image file is "flash:c800nsy6mw.12210b.bin" Cisco C803 (MPC850) processor (revision 1) with 52940K bytes of virtual memory. Processor board ID JAD03325506 (2953252) CPU part number 0x2100 X.25 software, Version 3.0.0. Bridging software. Basic Rate ISDN software, Version 1.1. 2 POTS Ports 1 Ethernet/IEEE 802.3 interface(s) 1 ISDN Basic Rate interface(s) 12M bytes of physical memory (DRAM) 8K bytes of nonvolatile configuration memory 12M bytes of flash on board (8M from flash card) Configuration register is 0x2102

Related Information
Password Recovery Procedure for the Cisco 806, 827, and 837 Series Routers Technical Support Cisco Systems

Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers

All contents are Copyright 19922005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Updated: Jun 27, 2005

Document ID: 12732

Cisco Password Recovery Procedure for the Cisco 801, 802, 803, 804, 805, 811, and 813 Routers