Configuring DHCP for the APC AP7921 PDU

2022/09/25

Tags: network

Updating to the latest firmware versions

Finding the latest version of the firmware available for the unit is not easy as the firmware updates aren’t linked from the product page https://www.apc.com/shop/uk/en/products/Rack-PDU-Switched-1U-16A-208-230V-8-C13/P-AP7921.

The firmware comprises two parts that are individually versioned - AOS (APC Operating System) and rpdu (Rack PDU APP)

The first updater I found was apc_hw02_aos392_rpdu392.exe this is available from here https://www.apc.com/us/en/product/SFRPDU392/switched-metered-rack-power-distribution-unit-firmware-revision-3-9-2/ dating from 2016.

The page states that the file has not been superseded, however I found references to a more recent version apc_hw02_aos394_rpdu_393.exe in these release notes https://download.schneider-electric.com/files?p_File_Name=990-3571E_EN.pdf&p_Doc_Ref=990-3517_EN&p_enDocType=User+guide but couldn’t find the actual firmware file for download.

Eventually, following a link in this vulnerability report from 2020 https://www.se.com/ww/en/download/document/SEVD-2020-174-01/, to https://www.apc.com/us/en/faqs/FA410359/ yielded a link to the firmware file fixing the 2020 vulnerability hosted here on box.com https://schneider-electric.app.box.com/s/5mmbnnzlbijoqw9qchltf1n86kdg3tfg

Before upgrading, my PDU had version 3.7.4.

Temporarily setting the IP address

An IP address can be temporarily assigned to the device with ARP and ping, even if you don’t have a DHCP server or screw up the DHCP/BOOTP config. The following commands are in Linux syntax.

arp -s 192.168.1.100 00:c0:b7:cf:8f:d5

ping 192.168.1.100 -s 113

Configuring dnsmasq

By default the device tries to get an IP first by BOOTP, then DHCP. As BOOTP IP leases don’t have an expiry, dnsmasq requires a static dhcp-host entry for the PDU’s mac address before it will issue an IP address. Additionally for DHCP, in it’s default configuration requires the APC Cookie value to be passed in the Option 43 (vendor specific info) field of the DHCP response.

I used the following dnsmasq config:

interface=eth0
bind-interfaces
server=8.8.8.8
domain-needed
bogus-priv
dhcp-range=192.168.1.2,192.168.1.100,12h
log-queries
log-dhcp
domain=cheese.org
#APC PDU
dhcp-host=00:c0:b7:cf:8f:d5,192.168.1.100,apc-pdu
dhcp-option=apc,43,01:04:31:41:50:43

Prior to the firmware upgrade, the system info reported via telnet was as follows.

        -----------------------------------------------------------------------
        About System

        Model Number      : AP7921
        Serial Number     : ZA0811006501
        NMC Serial Number : BA0810007469
        Manufacture Date  : 03/13/2008
        Hardware Revision : B2
        MAC Address       : 00 C0 B7 CF 8F D5
        Flash Type        : AMD A29DL322DB

        Press <ENTER> to continue...

        -----------------------------------------------------------------------
        Module Information 

        Description : Rack PDU APP
        -----------------------------------------------------------------------
        Name        : rpdu              Type        : StatApp
        Version     : 374               Sector      : 16
        Date        : 03/13/2012        Time        : 16:16:54
        CRC16       : 4D49

        Press <ENTER> to continue...

        Description : Network Management Card AOS
        -----------------------------------------------------------------------
        Name        : aos               Type        : APC OS
        Version     : 374               Sector      : 47
        Date        : 11/09/2011        Time        : 11:45:09
        CRC16       : 49C6

        Press <ENTER> to continue...

Where it all went wrong…

After the upgrade, the device initially worked OK, but at some point it appears that the flash contents became corrupted as the model number and serial number disappeared and the MAC address changed. This is probably my fault for hard powering off the device while it was still resetting the configuration settings.

        -----------------------------------------------------------------------
        About System

        Model Number      : 
        Serial Number     : 
        Manufacture Date  : 
        Hardware Revision : 
        MAC Address       : 7F 6B 20 32 00 7F
        Flash Type        : AMD A29DL322DB

        Press <ENTER> to continue...

        -----------------------------------------------------------------------
        Module Information 

        Description : Network Management Card AOS
        -----------------------------------------------------------------------
        Name        : aos               Type        : APC OS
        Version     : 392               Sector      : 16
        Date        : 07/06/2016        Time        : 15:12:05
        CRC16       : C3FF

        Press <ENTER> to continue...

        Description : Network Management Card AOS
        -----------------------------------------------------------------------
        Name        : aos               Type        : APC OS
        Version     : 392               Sector      : 47
        Date        : 07/06/2016        Time        : 15:12:05
        CRC16       : C3FF

        Press <ENTER> to continue...

With the device in this state, unsurprisingly it does not work correctly. It’s possible to assign an IP to the device via ARP, however the web interface doesn’t work correctly and it’s not possible to switch the outlets.

Potential resolution

There is a back door available over serial that is used in the factory for setting the model number, serial number and other fields. Originally this was also available over telnet, as per https://seclists.org/bugtraq/2004/Feb/456 but this was later patched out.