[Maarten Van Horenbeeck] [Information Security] [Resources]

Recovering from a corrupted Cisco Cookie

Somewhere in the beginning of January 2006, just two days prior to me leaving the country for a year - my Cisco 827 ADSL router broke. That was very unpleasant, as I was planning on having it serve the internet connection of my mom for the next year. The error I was getting was a "WARNING: Cookie Information is corrupt", after which it dumped me in rommon mode. Prior to this, the router had been behaving erratically over the previous days.

Normally, with this error you would open a case with the Cisco TAC and have them replace the device within four hours. Ofcourse, those contracts are not very affordable and since I bought the device second-hand, this wasn't an option. After the necessary searching and experimenting, I was able to recover from this problem. This page gives some insight on how to go about doing this. However, do note that it is quite easy to break your router completely while trying to fix this. As such, please don't take this page as your only source of truth and think before you act on the device. I'm not responsible for your router, you are.

The full error message you are most likely seeing upon boot is the following:
"WARNING: Cookie information is corrupt"

loadprog: error - Invalid image for platform
e_machine= 62 , cpu_type = 80

Cannot load "Flash:"
When you get this error message, you are dropped in rommon mode. Try running a sh cookie. It is very likely that you will be returned the same error message, followed by a large number of 00's. This confirms that the problem is indeed the cookie. Normally that part of the router's memory should contain information on the type of device, its hardware revision, cpu type etc.

Luckily, most Cisco 827's carry either identical or very similar hardware, so by taking the cookie of any other 827, you should be able to get it operational again. One issue here is the MAC address, which you will also be resetting. However, if both routers are not directly interconnected, this should not be an issue.

Enter the command cookie.

The Cisco 827 will now prompt you for the new cookie information, part by part. Complete this as follows:
byte 0x00 - Version: 01 
byte 0x01 - Vendor (Recommended Value: 0x01): 01 
bytes 0x02-0x07 - Ethernet HW Address: 00 04 27 fe 00 ea 
byte 0x08-0x08 - Processor (Recommended Value: 0x3e): 3e  
byte 0x09-0x09 - NVRAM Size (Recommended Values: 256K - 0x00): 00 
byte 0x0a-0x0a - CPU Speed (Recommended Value: 50Mhz - 0x01): 01 
byte 0x0b-0x0b - Unused: ff 
bytes 0x0c-0x0d - On-board PM ID: 01 ff 
bytes 0x0e-0x0f - MAC Address Allocated: 00 00 
bytes 0x10-0x17: 00 00 00 00 00 00 00 00 
bytes 0x18-0x22: 4a 41 44 05 42 30 39 ** ** 03 01 
bytes 0x23-0x24 - Deviation: 6f e6  
bytes 0x25-0x2c: 00 00 00 00 ff ff ff 50 
bytes 0x2d-0x2d - Board Config: 04 
bytes 0x2e-0x31: 49 11 ec 03 
bytes 0x32-0x37 - WAN MAC Address: ff ff ff ff ff ff 
bytes 0x38-0x3f: ff ff ff ff ff ff ff ff 
bytes 0x40-0x47: ff ff ff ff ff ff ff ff 
bytes 0x48-0x4f: ff ff ff ff ff ff ff ff 
bytes 0x50-0x57: ff ff ff ff ff ff ff ff 
bytes 0x58-0x5f: ff ff ff ff ff ff ff ff 
bytes 0x60-0x67: ff ff ff ff ff ff ff ff 
bytes 0x68-0x6f: ff ff ff ff ff ff ff ff 
bytes 0x70-0x77: ff ff ff ff ff ff ff ff 
bytes 0x78-0x7f: ff ff ff ff ff ff ff ff
The ** ** at bytes 0x18-0x22 is the processor board ID. The value used here is JAD054209**. I was unable to find this for my device so entered a random value, with no ill effect. 03 01 is the CPU revision. The next two ranges, 0x23-0x24 and 0x25-0x2c are the hardware revision and cpu_type. If you know that you have unusual equipment here I would suggest to find an identical router and copy it's cookie over (sh cookie).

I believe I had some issues at the end with the number of data the PIX requested compared with the cookie above. Just enter as many ff's as the device asks. Also note that this information is only valid for the Cisco 827 router. You might be able to find those of other devices online, but alternatively track someone down with such device who can go into rommon mode and run the sh cookie command and provide you with the output. Feel free to provide any such outputs to me and I'll place them online on this page.