Hacking rommon

Today I needed to hack a 3620 in order to get a certain image on it and it took awhile for me to find the information I needed. I guess my google-fu was not up to snuff and my coworker came through. Because of that, I wanted to document my adventures to make it easier for others to do the same.

What we want to do is change the serial number of the router in order for the image to load. This is how you do it.

rommon 1 > cookie
cookie:
00 01 00 30 85 d7 e0 60 0a ff 73 18 50 12 00 20
25 11 89 64 b0 ff 01 02 09 ff ff ff ff ff 00 02

Each Cisco router has it’s own rommon password that is determined by the cookie. So next we need to calculate the password, fire up your trusty scientific calculator and add the first five numbers in 16-bit hex:

00 01
+ 00 30
+ 85 d7
+ e0 60
+ 0a ff

————————-
= 17167

The password is only four characters, so remove the most significant bit and the password is 7167.

rommon 2 > priv
Password: 7167
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.

So now we can do some serious damage. In this next session if there is nothing after the greater than sign, just press enter, also notice that each 8-bit hex corresponds to the answers in order:

rommon 3 > cookie

View/alter bytes of serial cookie by field —
Input hex byte(s) or: CR -> skip field; ? -> list values
interfaces: 00 (unknown)
>

vendor: 01 (cisco)
>

ethernet Hw address: 00 30 85 d7 e0 60
>

processor: 0a (C3600)
>

unused 1: ff 73 18 50 12 00 20
>

BCD-packed 8-digit serial #: 25 11 89 64
> ff 11 44 55

unused 2: b0 ff 01 02 09 ff ff ff ff
>

capabilities (future): ff 00
>

cookie version #: 02
>
rommon 4 >

The section that is the binary coded decimal serial number is what we want to change, so we are changing the old serial number from 25-11-89-64 to ff-11-44-55.

BCD-packed 8-digit serial #: 25 11 89 64
> ff 11 44 55

Time to test whether the change was mode so we reboot the router and make sure it took:

rommon 4 > reset

And after the reboot:

rommon 1 > cookie
cookie:
00 01 00 30 85 d7 e0 60 0a ff 73 18 50 12 00 20
ff 11 44 55 b0 ff 01 02 09 ff ff ff ff ff 00 02
rommon 2 >

Notice that the serial number is now changed.

Hacking the cookie of a 2600 is not as easy, this is how it is done. I am using a Cisco 2611XM but it should be similar on any router in this class.

rommon 1 > cookie

cookie:
01 01 00 11 92 74 d2 80 43 20 00 ff 03 6b 00 20 
00 00 00 00 00 00 00 00 4a 41 45 08 26 4d 53 50 
51 03 01 00 00 00 00 00 00 ff ff ff 50 06 49 1d 
ff 05 ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Finding the rommon password to get into the priv command is the same as above, however, editing the cookie is much different. For this particular router the priv password is a926.

rommon 2 > priv
Password: a926
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.

The next section is how to change the serial number. The serial number of this router is 4a-41-45-08-26-4d-53-50-51. In order to change it you want to change all of the bytes on line 0x18-0x1F and the first two bytes of 0x20-0x27

rommon 3 > cookie

View/alter bytes of serial cookie by field --
Input hex byte(s) or: CR -> skip field; ? -> list values
bytes 0x00-0x07: 01 01 00 11 92 74 d2 80
               > 

bytes 0x08-0x0F: 43 20 00 ff 03 6b 00 20
               > 

bytes 0x10-0x17: 00 00 00 00 00 00 00 00
               > 

bytes 0x18-0x1F: 46 54 58 09 45 57 30 4d
               > 

bytes 0x20-0x27: 59 03 01 00 00 00 00 00
               > 

bytes 0x28-0x2F: 00 ff ff ff 50 06 49 1d
               > 

bytes 0x30-0x37: ff 05 ff ff ff ff ff ff
               > 

bytes 0x38-0x3F: ff ff ff ff ff ff ff ff
               > 

bytes 0x40-0x47: ff ff ff ff ff ff ff ff
               > 

bytes 0x48-0x4F: ff ff ff ff ff ff ff ff
               > 

bytes 0x50-0x57: ff ff ff ff ff ff ff ff
               > 

bytes 0x58-0x5F: ff ff ff ff ff ff ff ff
               > 

bytes 0x60-0x67: ff ff ff ff ff ff ff ff
               > 

bytes 0x68-0x6F: ff ff ff ff ff ff ff ff
               > 

bytes 0x70-0x77: ff ff ff ff ff ff ff ff
               > 

bytes 0x78-0x7F: ff ff ff ff ff ff ff ff
               > 
rommon 4 > 
This entry was posted in Routing. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s