The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access to a Cisco router from accessing the configuration or recovering the password. First of all, I should say that the information in this article should not be used for illegal purposes. This information should only be used to reset a lost password or to return a router, which you own, back to its default configuration. There are only a few methods of getting around the No Service Password-Recovery feature, all of which destroy the startup configuration.
1. Routers that have NVRAM chips can be removed and reseated or replaced. The NVRAM is the location of your startup configuration and removing the chip disconnects it from battery-backed up static RAM or SRAM. After reseating the chip, the NVRAM will be empty giving you access to the router. 3640 and 3660 are some examples of routers that this method will work on.
2. 1700, 2600, 2800, and 3620 Cisco routers use an electrically erasable programmable read-only memory or EEPROM to hold their startup configuration. The EEPROM will not erase when you remove it, so the first method will not work. Power cycle the router with console access and press Ctrl+Break within 5-10 seconds of the IOS software image decompressing, or roughly when you see "Image text-base". If you time the break sequence correctly, you will be given a ROMMON prompt, allowing you to change the config-register to 0x2142 and procceed with the password recovery as you would with any other unit. It may take a few times to time the break sequence correctly, be patient if you don't get it the first time.