Introduction

In some cases, you may want to have a Cisco router to enter ROMMON mode when boots up instead of the normal CLI mode. The most common cases entering the ROMMON mode are to perform password recovery or to revive router from corrupted or unavailable working IOS image. Another common case is to change or reset configuration register value back to default (which is 0x2102). With any one of these cases, you may have to issue commonly-used commands such as tftpdnld and reset. Check out the following FAQ for some illustration.

»Cisco Forum FAQ »Corrupt image & router boots into rommon mode

Following is some exploration of not-that-common ROMMON commands.

The cookie command

This command shows hardware info of the specific Cisco device such as PCB version, product identifier, and RMA. As a note, each Cisco hardware has his own cookie and if they are not the right ones there is a cookie check against hardware that need to be validated by the starting ROM.

Issue of having incorrect cookie info is getting error message of something like bad software or like the following.

Failed Authentication Test. This router may not be a genuine Cisco product.
FAILED: Cookie signature verification failed, status = 540

To illustrate the cookie command, following is the command output comes from 877 router

rommon 1 > cookie

cookie:
04 ff c3 06 00 18 73 6d ad db 43 00 0a c1 8b 46
4f 43 31 30 32 35 30 39 43 57 40 04 b5 41 02 00
82 4a 0d ad 02 42 42 30 c0 46 03 20 00 68 a0 02
88 00 00 00 00 02 02 c6 8a 56 41 4d 46 37 31 30
45 52 41 03 00 81 00 00 00 00 04 00 cb 94 43 49
53 43 4f 38 37 37 2d 4b 39 20 20 20 20 20 20 20
20 20 89 56 30 31 20 d9 02 40 c1 09 94 c2 8b 46
48 4b 31 30 32 36 32 33 44 46 4a ff ff ff ff ff

Description

Router Cisco 877 K9 with IOS:
c870-advsecurityk9-mz[1].124-15.T2.bin
Processor board ID FHK095120BU
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10

byte 0x00 – ID PROM Version (0x04): 04
byte 0x01 – Compatibility Byte (0xff): ff
byte 0x02 – MAC Address – Type (0xc3): c3
bytes 0x03 – MAC Address – Length (0x06): 06
bytes 0x04-0x09 – MAC Address: 00 18 73 6d ad db
bytes 0x0a – MAC Address Block Size – Type (0x43): 43
bytes 0x0b-0x0c – MAC Address Block Size: 00 0a
bytes 0x0d – PCB Serial Number – Type (0xc1): c1
bytes 0x0e – PCB Serial Number – Length (0x8b): 8b
bytes 0x0f-0x19 – PCB Serial Number: 46 4f 43 30 39 34 38 31 34 4c 53 > Label SN: FOC094814LS
byte 0x1a – Controller Type – Type (0x40): 40
byte 0x1b – Controller Type – High Byte: 04
byte 0x1c – Controller Type – Low Byte: b5
byte 0x1d – Hardware Version – Type (0x41): 41
byte 0x1e – Hardware Version – High Byte (0x01): 01
byte 0x1f – Hardware Version – Low Byte (0x00): 00
byte 0x20 – 73-level PCB PN – Type (0x82): 82
byte 0x21-0x24 – 73-level PCB PN: 4a 0d ad 02
bytes 0x25 – PCB Revision – Type (0x42): 42
bytes 0x26-0x27 – PCB Revision (0x3031): 30 31
bytes 0x28 – 800 Level PCB PN – Type (0xc0): c0
bytes 0x29 – 800 Level PCB PN – Length (0x46): 46
bytes 0x2a-0x2f – 800 Level PCB PN (0x032000303901): 03 20 00 30 39 01
bytes 0x30 – Deviation Number – Type (0x88): 88
bytes 0x31-0x34 – Deviation Number (0x00000000): 00 00 00 00
bytes 0x35 – PCB Fab Version – type (0x02): 02
bytes 0x36 – PCB Fab Version (0x01): 01
bytes 0x37 – CLEI Code – Type (0xc6): c6
bytes 0x38 – CLEI Code – Length (0x8a): 8a
bytes 0x39-0x42 – CLEI Code (0x49504d45443030425241): 49 50 4d 45 44 30 30 42 52 41
bytes 0x43 – RMA Test History – Type (0x03): 03
bytes 0x44 – RMA Test History (0x00): 00
bytes 0x45 – RMA Number – Type (0x81): 81
bytes 0x46-0x49 – RMA Number (0x00000000): 00 00 00 00
bytes 0x4a – RMA History – Type (0x04): 04
bytes 0x4b – RMA History (0x00): 00
bytes 0x4c – Product Identifier PID – Type (0xcb): cb
bytes 0x4d – Product Identifier PID – Length (0x94): 94
bytes 0x4e-0x61 – Product Identifier PID: 43 49 53 43 4f 38 37 37 2d 4b 39 20 20 20 20 20 20 20 20 20
bytes 0x62 – Version Identifier VID – Type (0x89): 89
bytes 0x63-0x66 – Version Identifier VID: 56 30 31 20
bytes 0x67 – Digital Signature List – Type: d9
bytes 0x68 – Digital Signature List – Length: 02
bytes 0x69-0x6a – Digital Signature List: 40 c1
bytes 0x6b – processor type – type (0x09): 09
bytes 0x6c – processor type – cpu id: 94
bytes 0x6d – Chassis Serial Number – Type (0xc2): c2
bytes 0x6e – Chassis Serial Number – Length (0x8b): 8b
bytes 0x6f-0x79 – Chassis Serial Number: 46 48 4b 30 39 35 31 32 30 42 55 > Label FHK095120BU at the router back.
bytes 0x7a – Radio Country Code – Type (0x4a): 4a
bytes 0x7b-0x7c – Radio Country Code: ff ff
bytes 0x7d-0x7f: ff ff ff

The priv command

To enter the ROMMON priv mode on Cisco router, check out the following instruction.

ROMMON priv command enable mode
Saga about PRIV command in ROMMON

The PRIV password depends from hardware cookie:

password := (i1+...+i5) mod 2^16

where i1...i5 first five words in cookie

Also this features working on 1600,3600,7500

P.S.: for 7500 password not need

Cisco 3640:

System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.

rommon 1 > cookie

cookie:
00 01 00 03 e3 bd 0d 40 0a ff ...
rommon 2 > priv
Password: fc00
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 3 >

Cisco 7513:

System Bootstrap, Version 11.1(2) [nitin 2], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.
SLOT 6 RSP2 is system master
RSP2 processor with 131072 Kbytes of main memory

monitor: command "boot" aborted due to user interrupt
rommon 1 > priv
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 2 >

This priv command is useful when you need to change the cookie info on the Cisco hardware due to some unexpected change during lightning storm or similar. Note that you need to have sufficient understanding of machine language (Assembler) and lots of leg work such as studying Cisco hardware info samples, checking PCB printed code and serial number labels.

The passwd command

Using passwd command, you can change or clear the enable password of the priv command usage. Following is illustration.

boot> enable debug
password: em gubed
boot> [DANGER] passwd
new:
again:
boot> [DANGER] enable
boot#

ROMMON priv Command Applications

As mentioned previously, the priv command application is mostly commonly used to reset Cisco hardware cookie info that got changed unexpectedly due to lightning or dirty power issue. Here is other application that priv command is applicable.

»[H/W] C850/870W WLAN card

got feedback? got feedback?

Any feedback you provide is sent to the owner of this FAQ for possible incorporation and shown publically as well.

by PA23 edited by aryoba
last modified: 2011-08-30 16:36:52