APC AP9605 PowerNet SNMP Adapter Username and Password Recovery

How to find and reset the user name and/or password on the APC AP9605 (and also the AP9606)

Introduction


The APC AP9605 PowerNet SNMP Adapter is a SmartSlot accessory which was sold by APC for their UPS products (it has since been discontinued in favor of newer/more advanced cards). Basically, is a 10 Mbps ethernet adapter which allows the UPS to communicate via SNMP instead of having to use a serial cable connected to one computer. The benefit of this is that multiple computers/servers can query the UPS directly, instead of having one "master" server which is connected via a serial cable with which the other computers must communicate.

The AP9605 was produced sometime around the mid to late '90s, which means it is probably considered an antique in most IT environments, however this card still has plenty to offer those of us who are a little lower on the IT totem pole such as small networks, home users, etc. Unlike its successor (the AP9606), the AP9605 does not have a web management feature; in order to configure it, you must use the command line interface (via a serial cable or telnet, though it is possible to disable telnet so that you need physical access to the device for a bit more security). By shopping around a bit on eBay, these cards can be purchased for around $5 each in quantities of 5+ or so, or if you are just looking for a single card, $10 seems to be about the norm. (Those prices assume used cards; "new" ones can be considerably more expensive, given that there are quite a few goofball sellers out there who apparently are under the impression that these cards are made of solid gold as opposed to being last decade's technology.)

The default username/password for these cards is apc/apc. One drawback to purchasing one of these cards used is that sometimes a previous user has changed the default username and/or password. If you cannot log in to change the networking configuration and such, the card is useless.

One option which is available to you is to simply contact APC's customer service department (their web site is www.apc.com). If you give them the card's serial number, they can provide you with a backdoor password. When you log in with the username of apc in conjunction with the backdoor password, the username and password will be reset back to apc/apc. This is probably the easiest option, but if you are in a hurry, or just like doing things yourself, this page describes how to determine the username and password for your AP9605 card and also how to reset it.
Installing the Card


In order to communicate with the card, you need to install it in a UPS. Here is the procedure I use:
  1. Press the "off" button on the UPS (this will power off any connected equipment)
  2. Unplug the UPS
  3. Press the "off" button on the UPS again, only this time, hold it down until you hear a click. This will take about 3-5 seconds.
  4. Remove the screws and cover from the SmartSlot port, if necessary.
  5. Slide the AP9605 into the SmartSlot
  6. Install screws to secure the card in the slot if you are leaving it there and putting the UPS into use, otherwise if you are just testing or will be pulling cards in and out frequently, the screws aren't necessary for it to work, just make sure the card is fully seated. There is no need to connect an ethernet cable at this point, the configuration will be done via the serial port.
  7. Plug the UPS back in. (You don't need to press the "on/test" button, just plugging in the UPS is enough to power up the SmartSlot port and allow you to establish a serial connection.
The reason for holding down the "off" button for 5 seconds is because just unplugging the UPS does not de-energize it. The SmartSlot port is still powered up until you de-energize the UPS. If you try to install or remove a card while there is still power in the slot, you stand a very good chance of frying the card and/or damaging the UPS. (Note: I have seen people in forums who say that to de-energize the UPS, you should hold down the "on/test" button for 5 seconds after unplugging the UPS, but on all of the Smart-UPS units that I have, this doesn't do anything; only holding down the "off" button de-energizes the unit. I don't know if the authors of those forum posts are wrong, smoking crack, living in some parallel universe, or some combination of the above, I'm just relaying my personal experience to you, for what it is worth. All I know is that when I hold down the "off" button for a few seconds, there is an audible "click" as it shuts off, and if there is a card installed in the SmartSlot port with an LED on it, the light goes out at the same time. When I hold down the "on/test" button, nothing happens and the unit is clearly still energized.)


The Serial Connection


For my testing, I used a Smart-UPS along with an APC serial cable (part number 940-0024C). If you don't have this cable, you can make your own; it is a DB9 cable with a female end for the PC and a male end for the UPS. Wire it as follows:

UPS end
(male)
PC end
(female)
1
3
2
2
9
5

In addition, the female end should have sockets 1 and 4 connected ("shorted") together, and the same for sockets 7 and 8.


(The pinout info above is courtesy of www.allpinouts.org, and it was confirmed by myself by probing an actual APC cable. I have also used this info to build my own cable, prior to purchasing an SNMP card. There are several other web sites out there with this pinout info which you can Google for should you be so inclined.)

Once you've plugged in the cable and installed the card, fire up a terminal program on your PC (Hyperterm comes installed by default on most Windows machines), and configure the comm port to 2400 baud, no parity, 1 stop bit, and no flow control. (2400,N,8,1,none) (Note: I have come across some cards which use the same settings except the baud rate is 19,200. I'm not sure what the deal is there. So, if 2400 just gives you garbage on the screen, try 19,200 instead. I believe the menu is different on the 19,200 version so the technique displayed on this page might not work. Actually, I think that the 19,200 version might not even use a username/password, in which case a reset like this may not even be necessary.)

When you connect, you need to hit "enter" a couple of times and you should be presented with a "User Name" prompt. The default username is "apc", and the default password is also "apc". If you cannot log in with those, then somebody has changed the username, password, or both. The rest of this guide explains how to retrieve this information.


Finding the User Name and Password


Click for bigger pic APC built a "back door" password into the AP9605 which was apparently used for factory configuration. When you log in using this back door password, you are presented with a different menu than when you log in with the normal password. One of the options on this menu is to dump the contents of the EEPROM, and fortunately, this includes the username and password. I will now take you step by step through the process. In this example, the UPS has been configured with a username of "USERNAME" and a password of "PASSWORD".

After you connect to the UPS with your terminal and get the "User Name:" prompt, type anything you want for the username (it doesn't matter), then for the password, use "TENmanUFactOryPOWER". (Cut 'n paste is your friend here.) You will be prompted to change your baud rate to 19,200, as shown to the right.

Click for bigger pic
Disconnect, change the baud rate for your comm port to 19,200, connect, and then hit enter. You will be presented with the menu shown to the right. There are a bunch of options here obviously, and it looks like there is potential to mess up the card by choosing the wrong ones, so its probably best to not mess with any option if you aren't sure exactly what it does.

The option we are interested in is number 11, "Dump EEPROM". Choose that, and you will be presented with a prompt that says "Enter Offset in Hex (XXXX):"; just hit enter here.

Once you do so, you will be presented with the hex dump, one page at a time. Hit the space bar to go to the next page, "b" to go back a page, or any other key to exit the dump and go back to the menu.

Click for bigger pic The picture to the right shows what the hex dump looks like. This is actually the first page of the dump, and the lines we are interested in are 002C and 0030. Look at the ASCII portion of the dump at the far right hand side. Each line is 8 characters (columns) wide. If we were to number each column (1 through 8), the password starts on line 002C, at column 3, goes through column 8, then continues on the next line (0030), starting at column 1. As you can see, the password is not listed in order, its jumbled up. The table below will show you how to decode the password:

Password
Character
Location Example
1Line 002C, column 4P
2Line 002C, column 3A
3Line 002C, column 6S
4Line 002C, column 5S
5Line 002C, column 8W
6Line 002C, column 7O
7Line 0030, column 2R
8Line 0030, column 1D
9Line 0030, column 4.
10Line 0030, column 3.


If there is no data in a particular memory location, a period will be displayed. The maximum allowed password length is 10 characters so basically what you need to do is to grab a piece of paper and put 10 blanks on it, numbered 1 through 10. Using the table above, simply start at 002C, column 4, and write that character in spot 1, write the character on line 002C, column 3 in blank 2, and so on. Keep going until you get to Line 0030, column 3, or until you hit a period. (If you hit a period, that means the password is less than 10 characters, and that period signifies the end of the password.)



Click for bigger pic The procedure for finding the username is the same as for the password, except that it is located on lines 0040 and 0044. The "decoding sequence" is the same as for the password, except for the line numbers, thus:

Username
Character
Location Example
1Line 0040, column 4U
2Line 0040, column 3S
3Line 0040, column 6E
4Line 0040, column 5R
5Line 0040, column 8N
6Line 0040, column 7A
7Line 0044, column 2M
8Line 0044, column 1E
9Line 0044, column 4.
10Line 0044, column 3.


A note for AP9606 users: I received an e-mail from a Mr. David Fulmer who informed me that this procedure also works for the AP9606, however the username starts at offset 0x01D3 and the password starts at offset 0x01DE. Thanks, David!



Once you've got the username and password, go back to the main menu and hit CTRL-A to exit the factory backdoor menu. At this point, it will prompt you to change the baud rate back to 2400. Use the same procedure as before - disconnect, set the comm port to 2400 baud, reconnect, and hit enter.



Setting a New User Name and/or Password



Click for bigger pic

Now that you know the username and password, when you connect to the UPS with your terminal program and are presented with the username and password prompts, you can input the correct values. Once you are logged in, you can reset the username and/or password to those of your choosing. To do so, choose menu option 3 ("Adapter"), and then menu option 1 ("Passwords").

Click for bigger pic

On the menu which is presented, if you want to set a new username, choose option 2, then type the new user name. Use option 3 to input a new password, and then choose option 4 and input the current password (the one that is currently set in the card, the one you just used to log in). Once you have input the values you want, choose option number 5 ("Accept Changes").

In the example to the right, I am setting the new username to be "apc" and the new password to be "apc". (The old/existing password was "PASSWORD".)

Click for bigger pic

After you choose menu option 5, if you have entered the correct value in the "Current Password" field, menu option 5 should change from "Pending" to "Success".

At this point, you can escape back to the main menu and log out. You should now be able to log in using the new username and password you have chosen; give it a try.


Congratulations! You've just turned an expensive paperweight into a useful piece of networking equipment.



I hope you found this helpful! My purpose for making this information available is simply to help out other folks who might be in the same situation I recently found myself in. I had purchased some used cards, and the username/password had been changed on some of them. I was able to find some information online regarding using this EEPROM dump trick on other APC SNMP adapters, but the information provided did not apply to the AP9605. By playing around with a card that I was able to login to and studying the EEPROM dump, I was able to develop the above procedure for recovering the username and password. Since there did not appear to be any other info out there regarding how to do this on an AP9605, I figured I would build a web page around it just in case it may be useful to someone. (Plus, I figured that by building this web page, I'd have a record of the procedure, so when I forget how this is done, I won't have to reinvent the wheel next time I need to reset one of these cards.)

If this page has saved you some money, time, and/or frustration and you feel like expressing your gratitude in a monetary form, I would certainly not be beneath accepting a donation of whatever amount you feel is appropriate. I can accept a PayPal payment to jon@jonsteiger.com.

Good luck!
This page was last updated October 15, 2009