One sunny day then I was a littel boy and have one cisco 4500 I want
understand how working read only monitor in this router. Via telnet I do command:
sh mem 0xBFC00000 0xBFC28F30
I save result to file and convert it to binary. Next put this bother to dissassembler.
After one day working I found that ROMMON have many undocumented command. Also there
was PRIV command and password need for execution. Another day I exploring assembler code.
Before evening I found that password depend from hardware cookie:
password := (i1+...+i5) mod 2^16
where i1...i5 first five words in cookie
Also this features working on 1600,3600,7500
P.S.: for 7500 password not need
Cisco 3640:
System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Copyright (c) 1999 by cisco Systems, Inc.
rommon 1 > cookie
cookie:
00 01 00 03 e3 bd 0d 40 0a ff ...
rommon 2 > priv
Password: fc00
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 3 >
Cisco 7513:
System Bootstrap, Version 11.1(2) [nitin 2], RELEASE SOFTWARE (fc1)
Copyright (c) 1994 by cisco Systems, Inc.
SLOT 6 RSP2 is system master
RSP2 processor with 131072 Kbytes of main memory
monitor: command "boot" aborted due to user interrupt
rommon 1 > priv
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 2 >