APC AP9605 PowerNet SNMP Adapter Username and Password

Recovery
How to find and reset the user name and/or password on the APC AP9605 (and also the AP9606)

Introduction
The APC AP9605 PowerNet SNMP Adapter is a SmartSlot accessory which was sold by APC for
their UPS products (it has since been discontinued in favor of newer/more advanced cards).
Basically, is a 10 Mbps ethernet adapter which allows the UPS to communicate via SNMP instead
of having to use a serial cable connected to one computer. The benefit of this is that multiple
computers/servers can query the UPS directly, instead of having one "master" server which is
connected via a serial cable with which the other computers must communicate.
The AP9605 was produced sometime around the mid to late '90s, which means it is probably
considered an antique in most IT environments, however this card still has plenty to offer those of
us who are a little lower on the IT totem pole such as small networks, home users, etc. Unlike its
successor (the AP9606), the AP9605 does not have a web management feature; in order to
configure it, you must use the command line interface (via a serial cable or telnet, though it is
possible to disable telnet so that you need physical access to the device for a bit more security). By
shopping around a bit on eBay, these cards can be purchased for around $5 each in quantities of 5+
or so, or if you are just looking for a single card, $10 seems to be about the norm. (Those prices
assume used cards; "new" ones can be considerably more expensive, given that there are quite a
few goofball sellers out there who apparently are under the impression that these cards are made of
solid gold as opposed to being last decade's technology.)
The default username/password for these cards is apc/apc. One drawback to purchasing one of
these cards used is that sometimes a previous user has changed the default username and/or
password. If you cannot log in to change the networking configuration and such, the card is
useless.
One option which is available to you is to simply contact APC's customer service department (their
web site is www.apc.com). If you give them the card's serial number, they can provide you with a
backdoor password. When you log in with the username of apc in conjunction with the backdoor
password, the username and password will be reset back to apc/apc. This is probably the easiest
option, but if you are in a hurry, or just like doing things yourself, this page describes how to
determine the username and password for your AP9605 card and also how to reset it.

Installing the Card

In order to communicate with the card, you
need to install it in a UPS. Here is the
procedure I use:
1. Press the "off" button on the UPS
(this will power off any connected
equipment)
2. Unplug the UPS
3. Press the "off" button on the UPS
again, only this time, hold it down until you hear a click. This will take about 3-5 seconds.
4. Remove the screws and cover from the SmartSlot port, if necessary.
5. Slide the AP9605 into the SmartSlot
6. Install screws to secure the card in the slot if you are leaving it there and putting the UPS
into use, otherwise if you are just testing or will be pulling cards in and out frequently, the
screws aren't necessary for it to work, just make sure the card is fully seated. There is no
need to connect an ethernet cable at this point, the configuration will be done via the serial
port.
7. Plug the UPS back in. (You don't need to press the "on/test" button, just plugging in the UPS
is enough to power up the SmartSlot port and allow you to establish a serial connection.
The reason for holding down the "off" button for 5 seconds is because just unplugging the UPS
does not de-energize it. The SmartSlot port is still powered up until you de-energize the UPS. If
you try to install or remove a card while there is still power in the slot, you stand a very good
chance of frying the card and/or damaging the UPS. (Note: I have seen people in forums who say
that to de-energize the UPS, you should hold down the "on/test" button for 5 seconds after
unplugging the UPS, but on all of the Smart-UPS units that I have, this doesn't do anything; only
holding down the "off" button de-energizes the unit. I don't know if the authors of those forum posts
are wrong, smoking crack, living in some parallel universe, or some combination of the above, I'm
just relaying my personal experience to you, for what it is worth. All I know is that when I hold
down the "off" button for a few seconds, there is an audible "click" as it shuts off, and if there is a
card installed in the SmartSlot port with an LED on it, the light goes out at the same time. When I
hold down the "on/test" button, nothing happens and the unit is clearly still energized.)

The Serial Connection

For my testing, I used a Smart-UPS along with an APC serial cable (part number 940-0024C). If
you don't have this cable, you can make your own; it is a DB9 cable with a female end for the PC
and a male end for the UPS. Wire it as follows:
UPS end
(male)

PC end
(female)
1
2
9

3
2
5

In addition, the female end should have sockets 1 and 4 connected ("shorted") together, and the
same for sockets 7 and 8.
(The pinout info above is courtesy of www.allpinouts.org, and it was confirmed by myself by
probing an actual APC cable. I have also used this info to build my own cable, prior to purchasing
an SNMP card. There are several other web sites out there with this pinout info which you can
Google for should you be so inclined.)
Once you've plugged in the cable and installed the card, fire up a terminal program on your PC
(Hyperterm comes installed by default on most Windows machines), and configure the comm port
to 2400 baud, no parity, 1 stop bit, and no flow control. (2400,N,8,1,none) (Note: I have come
across some cards which use the same settings except the baud rate is 19,200. I'm not sure what the
deal is there. So, if 2400 just gives you garbage on the screen, try 19,200 instead. I believe the
menu is different on the 19,200 version so the technique displayed on this page might not work.
Actually, I think that the 19,200 version might not even use a username/password, in which case a
reset like this may not even be necessary.)
When you connect, you need to hit "enter" a couple of times and you should be presented with a
"User Name" prompt. The default username is "apc", and the default password is also "apc". If you
cannot log in with those, then somebody has changed the username, password, or both. The rest of
this guide explains how to retrieve this information.

Finding the User Name and Password

APC built a "back door" password into the AP9605 which was apparently used for factory
configuration. When you log in using this back door password, you are presented with a different
menu than when you log in with the normal password. One of the options on this menu is to dump
the contents of the EEPROM, and fortunately, this includes the username and password. I will now
take you step by step through the process. In this example, the UPS has been configured with a
username of "USERNAME" and a password of "PASSWORD".
After you connect to the UPS with your terminal and get the "User Name:" prompt, type anything
you want for the username (it doesn't matter), then for the password, use
"TENmanUFactOryPOWER". (Cut 'n paste is your friend here.) You will be prompted to change
your baud rate to 19,200, as shown to the right.
Disconnect, change the baud rate for your comm port to 19,200, connect, and then hit enter. You
will be presented with the menu shown to the right. There are a bunch of options here obviously,
and it looks like there is potential to mess up the card by choosing the wrong ones, so its probably
best to not mess with any option if you aren't sure exactly what it does.
The option we are interested in is number 11, "Dump EEPROM". Choose that, and you will be
presented with a prompt that says "Enter Offset in Hex (XXXX):"; just hit enter here.
Once you do so, you will be presented with the hex dump, one page at a time. Hit the space bar to
go to the next page, "b" to go back a page, or any other key to exit the dump and go back to the
menu.
The picture to the right shows what the hex dump looks like. This is actually the first page of the
dump, and the lines we are interested in are 002C and 0030. Look at the ASCII portion of the dump
at the far right hand side. Each line is 8 characters (columns) wide. If we were to number each
column (1 through 8), the password starts on line 002C, at column 3, goes through column 8, then
continues on the next line (0030), starting at column 1. As you can see, the password is not listed in
order, its jumbled up. The table below will show you how to decode the password:

Password
Character

Location

Example

Line 002C, column 4

Line 002C, column 3

Line 002C, column 6

Line 002C, column 5

Line 002C, column 8

Line 002C, column 7

Line 0030, column 2

Line 0030, column 1

Line 0030, column 4

10

Line 0030, column 3

If there is no data in a particular memory location, a period will be displayed. The maximum
allowed password length is 10 characters so basically what you need to do is to grab a piece of
paper and put 10 blanks on it, numbered 1 through 10. Using the table above, simply start at 002C,
column 4, and write that character in spot 1, write the character on line 002C, column 3 in blank 2,
and so on. Keep going until you get to Line 0030, column 3, or until you hit a period. (If you hit a
period, that means the password is less than 10 characters, and that period signifies the end of the
password.)

The procedure for finding the username is the same as for the password, except that it is located on
lines 0040 and 0044. The "decoding sequence" is the same as for the password, except for the line
numbers, thus:
User
nam
Exa
e
Location mpl
Cha
e
ract
er
1

Line
0040,
column 4

Line
0040,
column 3

Line
0040,
column 6

Line

0040, column 5
5

Line 0040, column 8

Line 0040, column 7

Line 0044, column 2

Line 0044, column 1

Line 0044, column 4

10

Line 0044, column 3

A note for AP9606 users: I received an e-mail from a Mr. David Fulmer who informed me that this
procedure also works for the AP9606, however the username starts at offset 0x01D3 and the
password starts at offset 0x01DE. Thanks, David!

Once you've got the username and password, go back to the main menu and hit CTRL-A to exit the
factory backdoor menu. At this point, it will prompt you to change the baud rate back to 2400. Use
the same procedure as before - disconnect, set the comm port to 2400 baud, reconnect, and hit
enter.

Setting a New User Name and/or Password

Now that you know the username and password, when you connect to the UPS with your terminal
program and are presented with the username and password prompts, you can input the correct
values. Once you are logged in, you can reset the username and/or password to those of your
choosing. To do so, choose menu option 3 ("Adapter"), and then menu option 1 ("Passwords").

On the menu which is presented, if you want to set a new username, choose option 2, then type the
new user name. Use option 3 to input a new password, and then choose option 4 and input the
current password (the one that is currently set in the card, the one you just used to log in). Once you
have input the values you want, choose option number 5 ("Accept Changes").
In the example to the right, I am setting the new username to be "apc" and the new password to be
"apc". (The old/existing password was "PASSWORD".)

After you choose menu option 5, if you have entered the correct value in the "Current Password"
field, menu option 5 should change from "Pending" to "Success".
At this point, you can escape back to the main menu and log out. You should now be able to log in
using the new username and password you have chosen; give it a try.
Congratulations! You've just turned an expensive paperweight into a useful piece of networking
equipment.

I hope you found this helpful! My purpose

for making this information available is
simply to help out other folks who might be
in the same situation I recently found
myself in. I had purchased some used cards,
and the username/password had been
changed on some of them. I was able to find
some information online regarding using
this EEPROM dump trick on other APC
SNMP adapters, but the information
provided did not apply to the AP9605. By
playing around with a card that I was able
to login to and studying the EEPROM dump, I was able to develop the above procedure for
recovering the username and password. Since there did not appear to be any other info out there
regarding how to do this on an AP9605, I figured I would build a web page around it just in case it
may be useful to someone. (Plus, I figured that by building this web page, I'd have a record of the
procedure, so when I forget how this is done, I won't have to reinvent the wheel next time I need to
reset one of these cards.)
If this page has saved you some money, time, and/or frustration and you feel like expressing your
gratitude in a monetary form, I would certainly not be beneath accepting a donation of whatever
amount you feel is appropriate. I can accept aPayPal payment to jon@jonsteiger.com.
Good luck!
This page was last updated October 15, 2009