dslreports logo

    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»


how-to block ads


In some cases, you may want to have a Cisco router to enter ROMMON mode when boots up instead of the normal CLI mode. The most common cases entering the ROMMON mode are to perform password recovery or to revive router from corrupted or unavailable working IOS image. Another common case is to change or reset configuration register value back to default (which is 0x2102). With any one of these cases, you may have to issue commonly-used commands such as tftpdnld and reset. Check out the following FAQ for some illustration.

»Cisco Forum FAQ »Corrupt image & router boots into rommon mode

Following is some exploration of not-that-common ROMMON commands.

The cookie command

This command shows hardware info of the specific Cisco device such as PCB version, product identifier, and RMA. As a note, each Cisco hardware has his own cookie and if they are not the right ones there is a cookie check against hardware that need to be validated by the starting ROM.

Issue of having incorrect cookie info is getting error message of something like bad software or like the following.

Failed Authentication Test. This router may not be a genuine Cisco product.
FAILED: Cookie signature verification failed, status = 540

To illustrate the cookie command, following is the command output comes from 877 router

rommon 1 > cookie

04 ff c3 06 00 18 73 6d ad db 43 00 0a c1 8b 46
4f 43 31 30 32 35 30 39 43 57 40 04 b5 41 02 00
82 4a 0d ad 02 42 42 30 c0 46 03 20 00 68 a0 02
88 00 00 00 00 02 02 c6 8a 56 41 4d 46 37 31 30
45 52 41 03 00 81 00 00 00 00 04 00 cb 94 43 49
53 43 4f 38 37 37 2d 4b 39 20 20 20 20 20 20 20
20 20 89 56 30 31 20 d9 02 40 c1 09 94 c2 8b 46
48 4b 31 30 32 36 32 33 44 46 4a ff ff ff ff ff


Router Cisco 877 K9 with IOS:
Processor board ID FHK095120BU
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10

byte 0x00 ID PROM Version (0x04): 04
byte 0x01 Compatibility Byte (0xff): ff
byte 0x02 MAC Address Type (0xc3): c3
bytes 0x03 MAC Address Length (0x06): 06
bytes 0x04-0x09 MAC Address: 00 18 73 6d ad db
bytes 0x0a MAC Address Block Size Type (0x43): 43
bytes 0x0b-0x0c MAC Address Block Size: 00 0a
bytes 0x0d PCB Serial Number Type (0xc1): c1
bytes 0x0e PCB Serial Number Length (0x8b): 8b
bytes 0x0f-0x19 PCB Serial Number: 46 4f 43 30 39 34 38 31 34 4c 53 > Label SN: FOC094814LS
byte 0x1a Controller Type Type (0x40): 40
byte 0x1b Controller Type High Byte: 04
byte 0x1c Controller Type Low Byte: b5
byte 0x1d Hardware Version Type (0x41): 41
byte 0x1e Hardware Version High Byte (0x01): 01
byte 0x1f Hardware Version Low Byte (0x00): 00
byte 0x20 73-level PCB PN Type (0x82): 82
byte 0x21-0x24 73-level PCB PN: 4a 0d ad 02
bytes 0x25 PCB Revision Type (0x42): 42
bytes 0x26-0x27 PCB Revision (0x3031): 30 31
bytes 0x28 800 Level PCB PN Type (0xc0): c0
bytes 0x29 800 Level PCB PN Length (0x46): 46
bytes 0x2a-0x2f 800 Level PCB PN (0x032000303901): 03 20 00 30 39 01
bytes 0x30 Deviation Number Type (0x88): 88
bytes 0x31-0x34 Deviation Number (0x00000000): 00 00 00 00
bytes 0x35 PCB Fab Version type (0x02): 02
bytes 0x36 PCB Fab Version (0x01): 01
bytes 0x37 CLEI Code Type (0xc6): c6
bytes 0x38 CLEI Code Length (0x8a): 8a
bytes 0x39-0x42 CLEI Code (0x49504d45443030425241): 49 50 4d 45 44 30 30 42 52 41
bytes 0x43 RMA Test History Type (0x03): 03
bytes 0x44 RMA Test History (0x00): 00
bytes 0x45 RMA Number Type (0x81): 81
bytes 0x46-0x49 RMA Number (0x00000000): 00 00 00 00
bytes 0x4a RMA History Type (0x04): 04
bytes 0x4b RMA History (0x00): 00
bytes 0x4c Product Identifier PID Type (0xcb): cb
bytes 0x4d Product Identifier PID Length (0x94): 94
bytes 0x4e-0x61 Product Identifier PID: 43 49 53 43 4f 38 37 37 2d 4b 39 20 20 20 20 20 20 20 20 20
bytes 0x62 Version Identifier VID Type (0x89): 89
bytes 0x63-0x66 Version Identifier VID: 56 30 31 20
bytes 0x67 Digital Signature List Type: d9
bytes 0x68 Digital Signature List Length: 02
bytes 0x69-0x6a Digital Signature List: 40 c1
bytes 0x6b processor type type (0x09): 09
bytes 0x6c processor type cpu id: 94
bytes 0x6d Chassis Serial Number Type (0xc2): c2
bytes 0x6e Chassis Serial Number Length (0x8b): 8b
bytes 0x6f-0x79 Chassis Serial Number: 46 48 4b 30 39 35 31 32 30 42 55 > Label FHK095120BU at the router back.
bytes 0x7a Radio Country Code Type (0x4a): 4a
bytes 0x7b-0x7c Radio Country Code: ff ff
bytes 0x7d-0x7f: ff ff ff

The priv command

To enter the ROMMON priv mode on Cisco router, check out the following instruction.

ROMMON priv command enable mode
Saga about PRIV command in ROMMON

The PRIV password depends from hardware cookie:

password := (i1+...+i5) mod 2^16

where i1...i5 first five words in cookie

Also this features working on 1600,3600,7500

P.S.: for 7500 password not need

Cisco 3640:

System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.

rommon 1 > cookie

00 01 00 03 e3 bd 0d 40 0a ff ...
rommon 2 > priv
Password: fc00
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 3 >

Cisco 7513:

System Bootstrap, Version 11.1(2) [nitin 2], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.
SLOT 6 RSP2 is system master
RSP2 processor with 131072 Kbytes of main memory

monitor: command "boot" aborted due to user interrupt
rommon 1 > priv
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 2 >

This priv command is useful when you need to change the cookie info on the Cisco hardware due to some unexpected change during lightning storm or similar. Note that you need to have sufficient understanding of machine language (Assembler) and lots of leg work such as studying Cisco hardware info samples, checking PCB printed code and serial number labels.

The passwd command

Using passwd command, you can change or clear the enable password of the priv command usage. Following is illustration.

boot> enable debug
password: em gubed
boot> [DANGER] passwd
boot> [DANGER] enable

ROMMON priv Command Applications

As mentioned previously, the priv command application is mostly commonly used to reset Cisco hardware cookie info that got changed unexpectedly due to lightning or dirty power issue. Here is other application that priv command is applicable.

»[H/W] C850/870W WLAN card

Expand got feedback?

by PA23 See Profile edited by aryoba See Profile
last modified: 2011-08-30 16:36:52