Password Recovery Techniques

Find the product in which you are interested in the right-hand column, and click on its associated technique to go directly to the password recovery instructions for that product.

Routers

Technique	Product
Technique#1	Cisco AGS, Cisco 2000 series, Cisco 2500 series, Cisco 3000 series, 680X0-Based 4000 series, Cisco 7000 series running Cisco IOS 10.0 or later in ROMs, IGS series running Cisco IOS 9.1 or later in ROMs
Technique#2	Cisco 1003, Cisco 4500, IDT Orion-based Cisco 3600, Motorola 860-based Cisco 2600
Technique#3	IGS routers running software earlier than Cisco IOS 9.1
Technique#4	CGS, MGS, AGS, AGS+, 70X0 running ROMs earlier than Cisco IOS 10.0
Technique#5	500-CS Communication Servers
Technique#6	Cisco 1020

Catalyst Switches

Technique	Product
Technique#7	Catalyst 1200, Catalyst 5000
Technique#8	Catalyst 1600
Technique#9	Catalyst 1800
Technique#10	Catalyst 2600
Technique#11	Catalyst 3000

Introduction

This document will explain several password recovery techniques for Cisco routers and Catalyst switches. You can perform password recovery on most of the platforms without changing hardware jumpers, but all platforms require the router to be reloaded. Password recovery can only be done from the console port physically attached to the router.

There are three ways to restore enable access to a router when the password is lost. You can view the password, change the password, or erase the configuration and start over as if the box were new.

Each procedure follows these basic steps:

Configure the router to boot up without reading the configuration memory (NVRAM). This is sometimes called the "test system mode."
Reboot the system.
Access enable mode (which can be done without a password if you are in test system mode).
View or change the password, or erase the configuration.
Reconfigure the router to boot up and read the NVRAM as it normally does.
Reboot the system.

NOTE: Some password recovery requires a terminal to issue a BREAK signal; you must be familiar with how your terminal or PC terminal emulator issues this signal. For example, in ProComm, the keys Alt-B will by default generate the BREAK signal, and in Windows Terminal you press Break or Ctrl+Break. Windows Terminal also allows you to define a function key as BREAK. From the terminal window, select Function Keys and define one as BREAK by filling in the characters ^$B (Shift 6, Shift 4, and Capital B).

The following 11 sections contain detailed instructions for specific Cisco routers and Catalyst switches. Locate your product in the section headings to determine which technique to use.

Technique #1

All Cisco AGS, Cisco 2000 Series, Cisco 2500 Series, Cisco 3000 Series, 680x0-Based Cisco 4000 Series, Cisco 7000 Series Running Cisco IOS 10.0 or Later in ROMs, IGS Series Running Cisco IOS 9.1 or Later in ROMs

This technique can be used on the Cisco 7000 and Cisco 7010 only if the router has Cisco IOS 10.0 ROMs installed on the RP card. It may be booting Flash Cisco IOS 10.0 software, but it needs the actual ROMs on the processor card as well.

Attach a terminal or PC with terminal emulation to the console port of the router.
Type show version and record the setting of the configuration register. It is usually 0x2102 or 0x102.
Power the router down, then up.
Press the Break key on the terminal within 60 seconds of the power up. You will see the > prompt with no router name. If you don't, the terminal is not sending the correct Break signal. In that case, check the terminal or terminal emulation setup.
Type o/r 0x42 at the > prompt to boot from Flash or o/r 0x41 to boot from the boot ROMs. (Note that this is the letter "o," not the numeral zero.) If you have Flash and it is intact, 0x42 is the best setting. Use 0x41 only if the Flash is erased or not installed.

NOTE: If you use 0x41, you can only view or erase the configuration. You cannot change the password.
Type i at the > prompt. The router will reboot but will ignore its saved configuration.
Answer no to all the setup questions.
Type enable at the Router> prompt. You'll be in enable mode and see the Router# prompt.
Choose one of these three options:
- To view the password type show config.
- To change the password (in case it is encrypted, for example), do the following:
  1. Type config mem to copy the NVRAM into memory.
  2. Type wr term.
    If you have enable secret xxxx, then:
    Type config term and make the changes.
    Type enable secret <password>
    Press Ctrl-z
    If you do not, then:
    Type enable password <password>.
    Press Ctrl-z.
  3. Type write mem to commit the changes.
- To erase the config, type write erase.
Type config term at the prompt.
Type config-register 0x2102, or whatever value you recorded in step 2.
Press Ctrl-Z to quit from the editor.
Type reload at the prompt. You do not need to write memory.

Technique #2

Cisco 1003, Cisco 4500, IDT Orion-Based Cisco 3600, or Motorola 860 Based Cisco 2600

Attach a terminal or PC with terminal emulation to the console port of the router.
Type show version and record the setting of the configuration register. It is usually 0x2102 or 0x102.
Power the router down, then up.

Press the Break key on the terminal within 60 seconds of the power-up. Follow the applicable guidelines in the table below, according to your platform:

Follow the steps in this column...
if you have a Cisco 2000 Series, 2500 Series, 3000 Series, 680x0-based 4000 Series, 7000 Series running Cisco IOS 10.0 or later in ROMs, IGS Series running 9.1 or later in ROMs
OR
if you see the ">" prompt after you issue the break key sequence. Follow the steps in this column...
if you have a Cisco 1003, 1004, 3600, 4500, 4700 or IDT Orion-based router (72xx, 75xx)
OR
if you see the "ROMMON>" prompt after you issue the break key sequence.

At the ">" prompt, type o/r 0x42 to boot from Flash, or o/r 0x41 to boot from the boot ROMs. (Note that this is the letter "o", not the numeral zero.) If you have Flash and it is intact, 0x42 is the best setting. Use 0x41 only if the Flash is erased or not installed.
Note: If you use 0x41, you can only view or erase the configuration; you cannot change the password.

Type i at the ">" prompt. The router will reboot but will ignore its saved configuration.

At the "ROMMON>" prompt, type confreg 0x42 to boot from Flash, or confreg 0x41 to boot from the boot ROMs. If you have Flash and it is intact, 0x42 is the best setting. Use 0x41 only if the Flash is erased or not installed.
Note: If you use 0x41, you can only view or erase the configuration; you cannot change the password.

Type reset; at the "ROMMON>" prompt, or power cycle your router.

Once the router boots up, answer no to all the Setup questions. (If you accidentally type "yes" to a question, press Ctrl-C to break out of the initial configuration.)
Type enable at the Router> prompt. You'll be in enable mode and see the Router# prompt.
Choose one of these three options:
- To view the password type show config.
- To change the password (in case it is encrypted, for example):
  1. Type config mem to copy the NVRAM into memory.
  2. Type wr term.
    If you have enable secret xxxx, then:
    Type config term and make the changes.
    Type enable secret <password>.
    Press Ctrl-z
    If you do not, then:
    Type enable password <password>
    Press Ctrl-z
  3. Type write mem to commit the changes.
- To erase the config, type write erase.
Type config term at the prompt.
Type config-register 0x2102 or whatever value you recorded in step 2.
Press Ctrl-Z to quit from the editor.
Type reload at the prompt. You do not need to write memory.

Technique #3

IGS Routers Running Software Earlier Than Cisco IOS 9.1

IGS routers have a bank of DIP switches on the rear panel. If they are running software earlier than Cisco IOS 9.1, then these switches are used for password recovery.

Attach a terminal or PC with terminal emulation to the console port of the router.
Power the router down.
Record the settings of the switches on the rear panel.
Set switch 7 ON (or down).
Set switches 0-3 OFF (or up).
Power the router up. It will boot up to the > prompt.
Type b at the > prompt. The router is in test-system mode.
Press return until the Test-System> prompt appears.
Type enable at the prompt. You'll be in enable mode and see the Test-System# prompt.
Choose one of these three options:
- To view the password type show config.
- To change the password (in case it is encrypted, for example):
  1. Type config mem to copy the NVRAM into memory.
  2. Type wr term.
    If you have enable secret xxxx, then:
    Type config term and make the changes
    Type enable secret <password>
    Press Ctrl-z
    If you do not, then:
    Type enable password <password>
    Press Ctrl-z
  3. Type write mem to commit the changes.
- To erase the config, type write erase.
Restore the switch setting to those recorded in step 3.
Reboot the router.

Technique #4

CGS, MGS, AGS, AGS+, 70x0 Running ROMs Earlier Than In Cisco IOS 10.0

Attach a terminal or PC with terminal emulation to the console port of the router.
Power the router down.
Remove the processor card (CSC/2 or CSC/3 or CSC/4 on AGS/CGS/MGS, or RP on a 70x0).
Change the hardware register from bit position 0 (or 1) to position 15.
Re-insert the processor card.
Power the router up.
Press b at the > prompt or b flash if you have Flash memory installed.
Press return until the Test-System> prompt appears.
Type enable at the prompt. You'll be in enable mode and see the Test-System# prompt.
Choose one of these three options:
- To view the password type show config.
- To change the password (in case it is encrypted, for example):
  1. Type config mem to copy the NVRAM into memory.
  2. Type wr term.
    If you have enable secret xxxx, then:
    Type config term and make the changes.
    Type enable secret <password>.
    Press Ctrl-z.
    If you do not, then:
    Type enable password <password>.
    Press Ctrl-z.
  3. Type write mem to commit the changes.
- To ERASE the config, type write erase.
Power the router down.
Remove the processor card and return the jumper on pin 15 to its original position.
Power the router up.

Technique #5

500-CS Communication Servers

The password cannot be recovered from the 500-CS since it does not have a console port. Your only option is to erase the configuration.

Power the router off by unplugging it.
Depress and hold the DEFAULT button on the front of the chassis.
Power the router back on.
Watch the OK and LAN LEDs. They will blink on, and then off.
When they blink off (after about 15 seconds), release the DEFAULT button.
In about two to ten minutes, the 500-CS will enter setup mode, as if it was factory new.
Configure the router.

You could also recover a password on a 500 by holding the DEFAULT button down for 30-45 seconds. The system will then be in test mode, and you can follow the normal procedure for password recovery. See the earlier sections for details.

Technique #6

Cisco 1020

You must call the Cisco TAC to recover Cisco 1020 passwords. The Cisco 1020 will issue a password override challenge that can only be interpreted by TAC personnel.

Technique #7

Catalyst 1200 and 5000

To recover a lost password on Catalyst 1200, Catalyst 5000, and all concentrators:

You must be on the console.
Reboot the device.
When you see the password prompt, press Enter (null password for 30 seconds).
Type Enable.
When you see the password prompt press Enter (null password for 30 seconds).
Change the password.

Technique #8

Catalyst 1600

To recover a lost password on the Catalyst 1600, you need to push and hold the reset button on the switch until the LCD display displays "erasing mgmt passwd". If you let go at that point, the switch will reset and will come back without a password. This can also be achieved from TrueView.

Technique #9

Catalyst 1800

To recover a lost password on the Catalyst 1800, first look on the left side of the Catalyst 1800 switch. There should be two small black buttons mounted on a red holding device, located side by side inside the left cover. The black button located nearer to the front of the switch is the NMI switch.

To do the password recovery, let the box boot up. When the box has finished booting up and asks for the password, press the NMI switch five times. This will reload the switch and reset the password to its default value of "public."

Technique #10

Catalyst 2600

Press the System Request button to access the System Request Menu, and then Clear NVRAM. This will clear the password, but will also reset all configuration parameters to their default values, which means losing all options previously configured on the switch.