So after doing a lot of searching I found out that I needed to fix the cookie and enter privilege mode of ROMMON to do this. I have been working with Cisco hardware for quite sometime and had never once heard of this little known TAC feature.
Ok, now onto the good stuff.
DISCLAIMER: USE AT YOUR OWN RISK | USE AT YOUR OWN RISK | USE AT YOUR OWN RISK
Here is the error that I was getting when I was trying to boot up my router.
"Readonly ROMMON initialized
loadprog: error - Invalid image for platform"
Now to enter the privledge mode of ROMMON. You will need to find the password to get
in and to get this password, you will need to display the cookie in ROMMON and find
a site that can decipher it for you.
This is the website that I found and kudos to this person!!
http://ers.pp.ru/cgi-bin/priv.cgi
Here is a partial piece of the cookie that was on my router:
rommon 2 > cookie
cookie:
04 ff 09 86 ff ff ff ff ff ff ff ff ff ff ff ff
4f 43 31 31 31 37 33 38 46 50 40 04 0c 41 07 00
82 49 1f fe 07 42 41 30 c0 46 03 20 00 5b 8b 05
88 00 00 00 00 02 04 c6 8a 49 50 4d 37 56 30 30
Now once that you have this on your screen, go to the website mentioned above and
paste the entire first line into the box. It will be a 4 digit password that it
spits out.
Now that you have your password, type in: priv and hit enter, input your password
and the outpur will be something like this.
rommon 7 > priv
Password:
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
Now that you are here, you will need to fix your cookie and will be a topic for
another blog post but what I did was boot up another router into ROMMON and grabbed
the cookie off of that one. (Thats probably not the best idea as it seems that the
MAC address' for the interfaces are derived from this Hexa-Decimal cookie.)
rommon 8 > ?
addrloop walk 1 thru range of addresses
alias set and display aliases command
alter alter locations in memory
berrscan scan range of addresses for bus errors
boot boot up an external process
break set/show/clear the breakpoint
call call a subroutine at address with converted hex args
cat concatenate files
checksum checksum a block of memory
clrerr clear the error log
compare compare two blocks of memory
confreg configuration register utility
cont continue executing a downloaded image
context display the context of a loaded image
cookie display contents of motherboard cookie PROM in hex
cpu cpu / system information and control
cycles excercise the hardware with all possible cycles
dev list the device table
dir list files in file system
dis disassemble instruction stream
dnld serial download a program module
dram verify DRAM
dump display a block of memory
echo monitor echo command
errlog display the error log
fdump file dump utility
fill fill a block of memory
flash flash services command
frame print out a selected stack frame
giodn gio ucode download
giopref select which gio to boot next
gioshow show the gio version
gt96100 print out GT96100 registers
gt96100fe print out GT96100 FE registers
help monitor builtin command help
history monitor command history
ifill fill a block of memory w/incrementing pattern
iomemset set IO memory percent
initfs re-initialize the file system access structures
jump call a subroutine at address with argc/argv
launch launch a downloaded image
leds check out the error LED
memdebug write/read/verify scope loop
meminfo main memory information
memloop write or read scope loop
memtest simple memory test
menu main diagnostic menu
move move a block of memory
repeat repeat a monitor command
reset system reset
rommon-pref Select ROMMON
set display the monitor variables
showmon display currently selected ROM monitor
sleep millisecond sleep command
speed timed performance loop
stack produce a stack trace
sync write monitor environment to NVRAM
sysret print out info from last system return
tcal timer calibration test
tftpdnld tftp image download
tlbdump display the cpu TLB
tlbflush flush the TLB
tlbmap initialize a TLB mapping
tlbpid set/display process ID number
tlbphy search TLB for physical translation
tlbtest test the TLB
tlbscan scan for TLB exceptions
tlbvir search TLB for a virtual translation
tscope timer scope loop
unalias unset an alias
unset unset a monitor variable
watchdog test watchdog rebooting of the box
xmodem x/ymodem image download
Now we need to enter cookie mode so type: cookie
This is what you will see:
View/alter bytes of serial cookie by field --
Input hex byte(s) or: CR -> skip field; ? -> list values
Now if you have a good cookie (In Hexa-Decimal), you will need to paste each line in one at a time.
bytes 0x08-0x0F: ff ff ff ff ff ff ff ff
>
bytes 0x10-0x17: 4f 43 31 31 31 37 33 38
>
bytes 0x18-0x1F: 46 50 40 04 0c 41 07 00
>
bytes 0x20-0x27: 82 49 1f fe 07 42 41 30
<output omitted>
######################
Here are a few more show commands:
rommon 13 > menu
Main Diagnostic Menu
a: alter diag flags
b: basic utilities
c: do all diags in this menu
d: do group of diags in this menu
e: monitor image checksum test
f: internal interrupt test
g: bev state test
h: timer interrupt test
i: size main memory
j: main memory test
k: aux loopback test
l: aux port interrupt test
m: cookie test
n: primary data cache test
o: secondary data cache test
p: tlb test
q: mother board reg test
r: gt96xx dma test
x: return to previous menu
FLAGS: Continuous OFF Stop on error OFF Loop on error OFF Quiet mode OFF
enter Main Diagnostic Menu item > m
*** Warning: if power is lost or user sends break ***
the system will not recover until cookie content is restored.
main board cookie test cookie out of scope, cookie number 0.
phase 1: cookie test with 0x5a5a pattern, main board cookie test
*** TLB (Load/Fetch) Exception ***
Access address = 0x10
PC = 0xbfc1efe8, Cause = 0x8, Status Reg = 0x3041e803
enter Main Diagnostic Menu item > b
Diagnostic Utilities Menu
a: alter memory
b: compare memory block
c: display memory
d: move memory block
e: fill memory
f: memory test
g: memory read or write loop
h: memory debug loop
i: address loop
j: system reset
k: system cold
l: console break interrupt test
m: AUX port echo test
n: show mother board regs
o: poll slots
p: mother board cookie utility
q: show GT96K registers
r: show NM PCI regs
s: PCI config write
t: PCI config read
u: show CF info
x: return to previous menu
Now if you have done everything correct, type the (3) commands below and it should boot up just fine.
rommon 8 > initfs
rommon 9 > sync
rommon 10 > reset
System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
PLD version 0x10
GIO ASIC version 0x127
c2801 platform with 262144 Kbytes of main memory
Main memory is configured to 64 bit mode with parity disabled
Readonly ROMMON initialized
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0xcb80
program load complete, entry point: 0x8000f000, size: 0x2fb6af8
Self decompressing the image :
####################################################################################
####################################################################################
####################################################################################
############# [OK]
Smart Init is enabled
smart init is sizing iomem
ID MEMORY_REQ TYPE
0X003AA110 public buffer pools
0X00211000 public particle pools
0X00020000 Crypto module pools
0X00120000 VPM buffer pools
0X0012 0X00035000 Card in slot 1
0X000021B8 Onboard USB
If any of the above Memory Requirements are
"UNKNOWN", you may be using an unsupported
configuration or there is a software problem and
system operation may be compromised.
Allocating additional 12389767 bytes to IO Memory.
PMem allocated: 245366784 bytes; IOMem allocated: 23068672 bytes
Cisco IOS Software, 2801 Software (C2801-ADVENTERPRISEK9-M), Version 12.4(22)YB6,
RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 02-Jun-10 22:33 by prod_rel_team
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Installed image archive
Cisco 2801 (revision 6.0) with 239616K/22528K bytes of memory.
Processor board ID FTX1023Y0S3
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
63984K bytes of USB Flash usbflash0 (Read/Write)
125440K bytes of ATA CompactFlash (Read/Write)
I am recovering my cookie with your site.
ReplyDeleteMy hex code is exactly same above.
my priv password isn't match
04ff + 0986 + ffff + ffff + ffff = 3 0E82
so priv password is 0E82
isn't it?
unfortunately, my password isn't working.
Can you share the password?