Break sequence on a Cisco 1921 ISR

A colleague made me aware of a potentially serious problem on Cisco 1921 and other ISR G2 routers. According to Field Note 63355, these devices shipped with a buggy version of ROMMON, the software that controls the boot process of Cisco routers. Here’s how Cisco describe the problem:

Routers with ROMMON version 15.0(1r)M1 fail to respond to the break sequence command received from a device connected to the console port. This failure prevents normal password recovery of the device.

If you have a 1941 you can simply pull the CF card to enter into ROMON. But what about it you have a 1921 and need to perform password recovery? the Cisco 1921 doesn’t have a CF card, and according to Cisco has no user-replaceable flash. You’re essentially forever locked out of your device.

Thankfully, there’s a workaround. If you pop open the cover of a Cisco 1921, using a Torx 10 screwdriver, you’ll see a small daugher-board. This small daughter-board, secured with a single screw, is the flash on the 1921. Remove the single screw and carefully lift out the board.

Turn on your router with a serial-cable connected and you’ll enter ROMMON where you can perform the usual reset procedure (confreq). Entering ROMMON should look like the following:

System Bootstrap, Version 15.0(1r)M1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2011 by cisco Systems, Inc.

Total memory size = 512 MB
Field Upgradeable ROMMON Integrity test
_______________________________________
ROM: Digitally Signed Release Software
CISCO1921/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64 bit mode with ECC disabled


Upgrade ROMMON initialized
rommon 1 > confreg 0x2142
rommon 2 > reset

Once you’ve reset the device you can reseat and secure the flash, then put the case back on.