Did you ever had to identify a Cisco IOS image when you couldn’t rely on the filename?
Look for strings starting with CW_ between strings CW_BEGIN and CW_END in the image file, for example like this:
You will find strings like CW_IMAGE, CW_FAMILY, CW_FEATURE, CW_VERSION, CW_MEDIA, CW_SYSDESCR and CW_MAGIC between strings CW_BEGIN and CW_END.
In this example, the IOS version is 12.4(6)T5 (CW_VERSION) and it is designed to run on 870 routers (CW_FAMILY).
The nice thing about these CW_ strings is that you will also find them in a core dump (in the data region), thus allowing you to identify the IOS version that was running on a router when the core dump was produced (provided the image runs from RAM, indicated by a letter m in the filename).
And they are also present in the uncompressed image (compressed image files are identified by a letter z in the filename).
Soon I will release a tool to validate IOS image files, you can use it to extract these CW_ strings too.
Leave a reply
