Today I needed to hack a 3620 in order to get a certain image on it and it took awhile for me to find the information I needed. I guess my google-fu was not up to snuff and my coworker came through. Because of that, I wanted to document my adventures to make it easier for others to do the same.
What we want to do is change the serial number of the router in order for the image to load. This is how you do it.
rommon 1 > cookie cookie: 00 01 00 30 85 d7 e0 60 0a ff 73 18 50 12 00 20 25 11 89 64 b0 ff 01 02 09 ff ff ff ff ff 00 02
Each Cisco router has it’s own rommon password that is determined by the cookie. So next we need to calculate the password, fire up your trusty scientific calculator and add the first five numbers in 16-bit hex:
| 00 | 01 | |
| + | 00 | 30 |
| + | 85 | d7 |
| + | e0 | 60 |
| + | 0a | ff |
————————-
= 17167
The password is only four characters, so remove the most significant bit and the password is 7167.
rommon 2 > priv Password: 7167 You now have access to the full set of monitor commands. Warning: some commands will allow you to destroy your configuration and/or system images and could render the machine unbootable.
So now we can do some serious damage. In this next session if there is nothing after the greater than sign, just press enter, also notice that each 8-bit hex corresponds to the answers in order:
rommon 3 > cookie
View/alter bytes of serial cookie by field —
Input hex byte(s) or: CR -> skip field; ? -> list values
interfaces: 00 (unknown)
>
vendor: 01 (cisco)
>
ethernet Hw address: 00 30 85 d7 e0 60
>
processor: 0a (C3600)
>
unused 1: ff 73 18 50 12 00 20
>
BCD-packed 8-digit serial #: 25 11 89 64
> ff 11 44 55
unused 2: b0 ff 01 02 09 ff ff ff ff
>
capabilities (future): ff 00
>
cookie version #: 02
>
rommon 4 >
The section that is the binary coded decimal serial number is what we want to change, so we are changing the old serial number from 25-11-89-64 to ff-11-44-55.
BCD-packed 8-digit serial #: 25 11 89 64 > ff 11 44 55
Time to test whether the change was mode so we reboot the router and make sure it took:
rommon 4 > reset
And after the reboot:
rommon 1 > cookie cookie: 00 01 00 30 85 d7 e0 60 0a ff 73 18 50 12 00 20 ff 11 44 55 b0 ff 01 02 09 ff ff ff ff ff 00 02 rommon 2 >
Notice that the serial number is now changed.
Hacking the cookie of a 2600 is not as easy, this is how it is done. I am using a Cisco 2611XM but it should be similar on any router in this class.
rommon 1 > cookie cookie: 01 01 00 11 92 74 d2 80 43 20 00 ff 03 6b 00 20 00 00 00 00 00 00 00 00 4a 41 45 08 26 4d 53 50 51 03 01 00 00 00 00 00 00 ff ff ff 50 06 49 1d ff 05 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Finding the rommon password to get into the priv command is the same as above, however, editing the cookie is much different. For this particular router the priv password is a926.
rommon 2 > priv Password: a926 You now have access to the full set of monitor commands. Warning: some commands will allow you to destroy your configuration and/or system images and could render the machine unbootable.
The next section is how to change the serial number. The serial number of this router is 4a-41-45-08-26-4d-53-50-51. In order to change it you want to change all of the bytes on line 0x18-0x1F and the first two bytes of 0x20-0x27
rommon 3 > cookie
View/alter bytes of serial cookie by field --
Input hex byte(s) or: CR -> skip field; ? -> list values
bytes 0x00-0x07: 01 01 00 11 92 74 d2 80
>
bytes 0x08-0x0F: 43 20 00 ff 03 6b 00 20
>
bytes 0x10-0x17: 00 00 00 00 00 00 00 00
>
bytes 0x18-0x1F: 46 54 58 09 45 57 30 4d
>
bytes 0x20-0x27: 59 03 01 00 00 00 00 00
>
bytes 0x28-0x2F: 00 ff ff ff 50 06 49 1d
>
bytes 0x30-0x37: ff 05 ff ff ff ff ff ff
>
bytes 0x38-0x3F: ff ff ff ff ff ff ff ff
>
bytes 0x40-0x47: ff ff ff ff ff ff ff ff
>
bytes 0x48-0x4F: ff ff ff ff ff ff ff ff
>
bytes 0x50-0x57: ff ff ff ff ff ff ff ff
>
bytes 0x58-0x5F: ff ff ff ff ff ff ff ff
>
bytes 0x60-0x67: ff ff ff ff ff ff ff ff
>
bytes 0x68-0x6F: ff ff ff ff ff ff ff ff
>
bytes 0x70-0x77: ff ff ff ff ff ff ff ff
>
bytes 0x78-0x7F: ff ff ff ff ff ff ff ff
>
rommon 4 >
ChainRingCircus 
I has to sum up the whole first line of the cookie (8 values 16-bit each), not only the first 5 values.
LikeLike