Router Password Recovery: Cisco, Huawei, and H3C Guide

1. Introduction to Router Password Recovery

Forgetting or losing a router’s enable password is a common issue faced by network engineers. Luckily, there are multiple methods for router password recovery. The recovery approach depends on the router brand and series, which can easily confuse new engineers. Routers, as Layer 3 network devices, involve complex protocols and a wide range of technical considerations.

Mastering router recovery techniques for brands like Cisco, Huawei, and H3C is crucial to ensure network stability. This guide summarizes recovery methods for these three major manufacturers. Although the methods vary by equipment type, many are applicable across different models.

Therefore, today specially summarized the router recovery methods of the three major manufacturers: Cisco, Huawei and H3C. Although the methods collected in this article only apply to certain types of equipment, you will know after reading that most of them are universal.

Very informative, with too many words. It is suitable for reading often and always new. Remember to save it to your circle of friends in case you need it in case of emergencies.

2. Cisco Router Password Recovery

(1) Principle of password recovery

Cisco routers save several different configuration parameters and store them in different memory modules.

The memory of Cisco series routers includes: ROM, flash memory (Flashmemory), RAM, immutable RAM and dynamic memory (DRAM).

Under normal circumstances, when the router starts up, it first runs the program in ROM to perform system self-test and boot, then runs the ISO in Flash, searches for the router configuration in NVRAM, and loads it into DRAM.

The key to password recovery is to configure the registration code

(ConfigurationRegisterValue) is modified to allow the router to call different parameter tables from different memories for startup.

The valid password is stored in NVRAM, so the essence of changing the password is to make the registration code inactive first, so that you can start it directly, and then restore the registration code after completion (if you forget to restore it, the modified configuration may be lost after the router restarts) .

About the role of memory

ROM stores the boot program of the system, similar to the BIOS of a PC. It is a kind of read-only memory. The program will not be lost when the system is powered off. The flash memory stores the image of CiscoiOS. It is similar to the hard disk of a PC. It is a rewritable and programmable ROM. .

Data will not be lost when the system is powered off. NVRAM stores the configuration file (Startupconfig). RAM stores the current system configuration (Runningconfig). DRAM mainly includes routing tables, ARP cache, Fastswitch cache, packet cache, etc., and also includes the configuration file being executed. The memory data will be lost when powering up. Table 2 Cisco Series Router Configuration Login Code.

ConfigurationRegisterValue meaning

0X2102 default setting

Bit13=0X2000 After Flash boot fails 5 times, it will automatically boot from ROM.

Bit8=0X0100 turns off the Break key

Bootfield=0X20X2101 boots the normal operating mode from Flash

Bit13=0X2000 After Flash boot fails 5 times, it will automatically boot from ROM.

Bit8=0X0100 turns off the Break key

Bootfield=0X10X142 enters bootROM running mode Router (boot)>

Bit8=0X0040 Enter bootmonitor running mode＞or rommon＞

Bootfield=0X2 boots the normal operating mode from Flash

(2) Common methods to recover Cisco router password

• first method

The following routers can be restored using this method:

Cisco 2000 series, 2500 series, 3000 series, Cisco 4000 series using 680×0 Motorola CPU, 7000 series routers running Cisco IOS system version 10.0 or above

Implementation steps

Connect a terminal to the console port of the router or use a PC with emulation terminal software installed.

• Enter the show version command, and then note the register value, usually 0x2102 or 0x102. This value is displayed on the last line. Pay attention to whether the register configuration sets Break to enable or disable.
• The default configuration register value is 0x2102. If the third number from the left of this value is 1, Break is disabled; if it is zero, Break is enabled.
• Cut off the power supply and then restart it.
• Press the Break key on the terminal within 60 seconds of the router booting. The rommon> prompt will be displayed. If the prompt is not like this, the terminal did not send the correct break signal, check whether the Break key is correct or set to disable.
• Enter o/r0x42 or o/r0x41 at the prompt, o/r0x42 means booting from Flash memory, o/r0x41 means booting from ROMs (note that the first character is the letter o, not the number 0).
  It is best to use 0x42. Only use 0x41 when the Flash memory has not been installed or erased. If there is 0x41, you can only view or erase the configuration, and you cannot change the password directly.
• Enter the initialization command at the rommon> prompt.
• Enter the system configuration dialog prompt and hit no, and wait for the prompt message to appear: Press RETURN to get started!
• Hit Enter and the Router> prompt appears.
• Enter the enable command, and the Router# prompt appears.
• Choose one of the options below:
  
  If the password is not encrypted, you can directly use the more nvram:startup-config command to view the password;
  
  When the password is encrypted, it cannot be viewed and can only be modified. Enter the following command:

Router # configure memory

Router # configure terminal

Router(config)# enable secret 1234abcd

Router(config)# ctrl-z

Router # write memory

• Enter configure terminal at the EXEC prompt to enter configuration mode. Enter the config-register command to restore the register value recorded in the second step.
• Press Ctrl-Z to exit the configuration state.
• In privileged mode, use the write memory command to save the configuration, and then reboot.

• Second method

The following routers can be restored using this method: Cisco 1003, 1600 Series, 3600 Series, 4500 Series, 7200 Series, 7500 Series, and IDT Orion-Based routers.

Implementation steps

The first four steps are the same as the previous method:

• Enter the confreg command at the rommon> prompt, as shown below:

Do you wish to change configuration[y/n]?

Enter yes and press Enter. Keep selecting no when answering the following questions until “ignore system config info[y/n]?” appears and enter yes.

Then continue to type no to answer until you see “change boot characteristics [y/n]?” and enter yes. Displayed as follows:

enter to boot:

There are two options 2 and 1 at this prompt. If Flash memory is erased, select 1, so you can only view or erase the configuration, but cannot modify the password directly. Best option 2. The following prompt appears:

Do you wish to change configuration[y/n]?

Answer no and press Enter to display “rommon>”.

• Enter the reload command under privileged EXEC, and the subsequent operations are the same as the first method.

3. Huawei router password recovery (including various versions of BootROM operation methods)

3.1 Clear password for mid- to low-end routers

Clear BOOTROM password:
There is no BOOTROM by default in low-end and mid-range routers. If it is lost after setting, you can only use the universal password: WhiteLily2970013. Note that the master password is case-sensitive.

Super password for AR46 Bootrom 5.04: supperman

In the 97 version of VRP, if the password cannot be eliminated, you need to upgrade to version 2.0;

VRP version 2.0:
(1) Press “Shift+d” during power-on self-test to enter the download interface
(2) Type “*” after the password appears
(3) Type “shift+3”, which means entering “#”

VRP version 1.0:
(1) Press “Ctrl+b” during power-on self-test to enter the download interface
(2) After the password appears, type it in and it will be blank by default, just press Enter.
(3) Type “Ctrl+p”

After deleting the password, you can enter privileged user mode for the first time, but after restarting, you are still asked for the password.

What’s the problem?

The reason is:

When designing, the developers only considered allowing you to enter once after clearing the password to modify the password. The command to modify the password is an implicit command enable password. After entering for the first time, modify the password and save it to disk, which can be eliminated or modified to You know the password.

3.2 Low-end routers (25XX series, 25XXE series, 16XX series, 4001/4001E) clear privilege passwords

• Restart the router;
• After seeing the prompt message “Press Ctrl+B enter BootMenu”, press Ctrl+b to enter the BootMenu menu.
• Press Ctrl+p, several “#” signs and the BootMenu menu will be displayed on the screen.
• Select Reboot
• After the router restarts, press the Enter key several times to enter the privileged mode directly, skipping the step of entering the privileged password.
• At this time, enter enable password new password in global configuration mode to change the privilege password to new password.
• It should be noted here that the enable password command must be written in full, otherwise the system will prompt that this is an incorrect command.

3.3 Clear privileged passwords for mid-range routers (262X series, 36XX series, 36XXE series, 263X series, 263XE series)

• Restart the router
• After seeing the prompt message “Press Ctrl+B enter BootMenu”, press Ctrl+b to enter the BootMenu menu.
• Select Clear application password so you won’t be prompted for a privileged password the next time you start it.
• Select Exit and reboot
• After the router restarts, press the Enter key several times to enter privileged mode directly.
• Skipping the step of entering the privilege password, enter enable password new password in global configuration mode to change the privilege password to new password.

Note: The enable password command here must be written in full, otherwise the system will prompt that this is an incorrect command.

The above BOOTROM version is generally 3.xx/4.xx. The above content is all for the old command line (command line similar to CISCO, such as show run, the new command line refers to the version of disp cu)

3.4 New command line method for clearing passwords on low-end routers

AR router BOOTROM9.07 clears CONSOLE password:

Press Ctrl-B to enter Boot Menu
Please input Bootrom password:

Boot Menu:

1: Download application program with XMODEM
2: Download application program with NET
3: Set application file type
4: Display applications in Flash
5: Clear application password
6: Start up and ignore configuration
7: Enter debugging environment
8: Boot Rom Operation Menu
9: Do not check the version of the software
a: Exit and reboot

Enter your choice(1-a):

After selecting 5, select a to restart the router.

BOOTROM9.06

Boot Menu:

1: Download application program with XMODEM
2: Download application program with NET
3: Clear application password
4: Start up and ignore configuration
5: Enter debugging environment
6: Boot Rom Operation Menu
7: Do not check the version of the software
8: Exit and reboot

Enter your choice(1-8):

Select 3 and then 8 to restart the router

BOOTROM7.06

Boot Menu:

1: Download application program with XMODEM
2: Download application program with NET

3: Clear application password
4: Start up and ignore configuration
5: Enter debugging environment
6: Boot Rom Operation Menu
7: Do not check the version of the software
8: Exit and reboot

Enter your choice(1-8):

Choose 3 and then choose 8 to restart the router.

BOOTROM5.28

Press Ctrl-B to enter Boot Menu

Please input Boot ROM password:

Boot Menu:

1: Download application program with XMODEM
2: Download application program with NET
3: Clear configuration
4: Start up and ignore configuration
5: Boot ROM Operation Menu
6: Do not check the version of the software
7: Exit and reboot
Enter your choice(1-7):

Selecting 3 will clear the configuration, selecting 4 will ignore the configuration and start with factory settings. After startup, configure the router DOWN, change the password, and then import it again.

BOOTROM5.1

Press Ctrl-B to enter Boot Menu

Please input Bootrom password:

Boot Menu:

1: Download application program

2: Download Bootrom program
3: Modify Bootrom password
4: Exit the menu
5: Reboot
Enter your choice(1-5):

Press ctrl+p and then select 5 to clear the password

3.5 Ignore the configuration, clear the password and then import the configuration steps

• Reconfigure the router’s Ethernet port address

[Router-Ethernet1]ip address 192.168.10.1 255.255.255.0

• Ensure that the Ethernet ports of the PC and router can communicate with each other
• Configure an FTP account on the router for DOWN configuration from the PC
  [Router]local-user ftp password sim ftp ftp-directory flash:/
• Start the FTP service on the router
  [Router]ftp-server enable
• Enter CMD in the run bar of the PC
  FTP 192.168.10.1
  Enter username ftp password ftp
  hash
  lcd c:\ specifies the downloaded configuration file directory
  get config
  Then open it with a writing pad or notepad and change the password before entering it.
  Note: There is no need to save the configuration after uploading. If you save the configuration again, the uploaded configuration will be overwritten.

3.6 Summary

The method of clearing passwords in BOOTROM 5.28/7.03/7.05/7.06/9.03/9.05/9.06/9.07 is basically the same, which is Clear application password or Start up and ignore configuration.

To clear the password in BOOTROM 5.1, press ctrl+p.

4. H3C router recovery password

H3C routers need to turn off the power first and restart the router. Note that when press CTRL+B to enter extended boot menu is displayed on the terminal, please press ctrl+B quickly to enter the extended boot options.

Then, you can enter the router view:

(1) Low-end H3C equipment

After the restart is complete, you can directly enter the system view.

(2) Mid-range H3C equipment

After the restart is completed, you can directly enter the system view [Router]. At this time, change or add an exec password of type admin and save it.