Fun with a Cisco 1600

(Long geeky post alert. You probably don’t want to read this unless your Cisco is dead and you got here via google or something).

A number of years ago (May 2005, to be exact) Tanya’s Cisco 1600 (diginet leased-line router) went funny after a power outage. I pulled in a favour, got a friend of a friend who works with these things to look at it — but he couldn’t fix it.

After much googling* I learnt that there’s a “cookie” in Non-Volatile RAM (NVRAM) which very few people know about since it’s factory-set. If NVRAM is wiped, you have a problem. You need to connect to the Cisco using the right kind of cable, a terminal program, and 9600,N,8,1.

If your cookie is cleared, no problem. If it is corrupt, though, you will need to calculate the password to be able to change the corrupted bits.

System Bootstrap, Version 11.1(7)AX [kuong (7)AX], EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
Copyright (c) 1994-1996 by cisco Systems, Inc.
First location in NVRAM fails ... cannot size NVRAM
Warning: monitor nvram area is corrupt ... using default values
Bad checksum on cookie structure, resorting to backup copy
Warning: Cookie information is corrupt
environment write to NVRAM failed
C1600 processor with 2048 Kbytes of main memory
(Here I hit Ctrl-Break)
monitor: command "boot" aborted due to user interrupt
rommon 1 > cookie
Bad checksum on cookie structure, resorting to backup copy
Warning: Cookie information is corrupt
cookie:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rommon 2 > priv
Password: (This would be 0000 for the above cookie, otherwise you need to calculate it)
Bad checksum on cookie structure, resorting to backup copy
Warning: Cookie information is corrupt
You now have access to the full set of monitor commands.
Warning: some commands will allow you to destroy your
configuration and/or system images and could render
the machine unbootable.
rommon 3 > cookie

View/alter bytes of serial cookie by field --
Input hex byte(s) or: CR -> skip field; ? -> list values
interfaces soc 0: 00    (unknown)
                > 01

vendor: 00    (unknown)
      > 01

ethernet Hw address: 00 00 00 00 00 00
                   > d5 aa 96 de aa eb (Anybody recognise this?)

processor: 00    (PAN)
         > 09

Hw rework: 00 00 00 00
         > 00 00 00 01

interfaces soc 1: 00    (unknown)
                > 02

unused 1: 00 00
        > 00 00

BCD-packed 8-digit serial #: 00 00 00 00
                           > 00 0d 8c f3

unused 2: 00 00 00 00 00 00 00 00 00
        > 

capabilities (future): 00 00
                     > 

cookie version #: 00
                > 01

Now, you should be able to

rommon 4 > sync
rommon 5 > boot
program load complete, entry point: 0x4018060, size: 0x1da950

But instead what happened was

rommon 4 > sync
environment write to NVRAM failed

So I pulled the cover, found the 28HC64 8k x 8 CMOS EEPROM, bought a new EEPROM and a socket from Communica, performed the appropriate transplant, and all is now well.

Now here’s where a bit of black magic slips in. I had to do this the previous time, and after much struggling I found that I also had to do it this time. And I have no idea where this information comes from, but it’s in my notes from 2005.

The first time the router boots up, go

> enable
# configure terminal
(config)# config-register 0x2142
(config)# end
# write
# reload

And then repeat with the original 0x2102 value. Then proceed to configure the router. I didn’t do this, and all was well, except that the configuration interface would not accept “ip route” commands, and of course the router wouldn’t. Route, that is.

There. Now you know as much as I do. Ask if you need to know how to actually configure the router.

* Actually, “googling” is rather generic since I found this page via altavista, not google.