Firmware distribution does not match target device platform...

pompfe · ‎2022-07-14

Hi,

when I saw the problems with the batteries I thought it would also be the right time to update firmwares.

One UPS got a AP9630 and the other a AP9631. Both seem to have the same firmware file named "apc_hw05_aos708_sumx708_bootmon109.exe". Currently we are still running SUMX 6.5.0, AOS 6.5.0 and Boot Monitor 1.0.8 on both of them.

When I run the upgrade utility I get these messages on both UPS:

[Date-Time] Unable to update device IP with Boot Monitor, stopping all further processing of this device!

[Date-Time] Uploading firmware file 1 of 3: Boot Monitor to IP, please wait...

[Date-Time] Firmware distribution does not match target device platform; this could be due to a corrupt distribution.

[Date-Time] NMC Firmware Update Utility v1.0.4 initialized.

Am I using the wrong firmware version? This is the version that I found and I believe that this is for a AP9630 in a SMT3000RMI2U and a AP9631 in a SMX3000RMHV2U (web site said it is for Smart-UPS and Galaxy 3500). Am I wrong? What else might have happend here?

The firmware for the SMX3000RMHV2U is UPS 07.4 (ID1003) and for the SMT3000RMI2U it is UPS 09.3 (ID18). Are these the actual versions or should I upgrade these, too? Where do I get updated firmware from? I did not find any.

Thanks a lot!

pompfe

regs · ‎2022-07-26

After comparing configs, I found it was because the protocol selected for updates was disabled on device in question. After switching the protocol (or enabling the protocol in the NMC2) the updates proceeded. Make sure you have FTP/SCP connectivity using an external client or checking the config before trying the update utility. Hope this helps.

See Answer In Context

regs · ‎2022-07-26

I have the same issue but across 20 UPS I only have 3 or 4 that have the issue. They are the same model and hardware revision (AP9630) and I'm using apc_hw05_aos708_sumx708_bootmon109) and some can update and others cannot. Very strange. Did you find a solution?

regs · ‎2022-07-26

After comparing configs, I found it was because the protocol selected for updates was disabled on device in question. After switching the protocol (or enabling the protocol in the NMC2) the updates proceeded. Make sure you have FTP/SCP connectivity using an external client or checking the config before trying the update utility. Hope this helps.

robincm · ‎2023-02-08

Yes, this is exactly what it was for me - SSH was disabled. Thank you!

Zack · ‎2024-08-03

I discovered that my APC PD8841 was outdated to the point that I needed to configure my SSH settings to use specific ciphers and key exchange algorithms for the firmware update tool to work correctly. Follow the steps below to determine if this issue affects you.

1. Attempt to SSH into the APC unit with SSH enabled on the device:

ssh apc@IP_OF_DEVICE

2. If you receive an error like "no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" add one of the key exchange algorithms offered to your SSH command and try again:

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 apc@IP_OF_DEVICE

NOTE: If you do not receive an error and instead see a password prompt or an option to add the device fingerprint to your known_hosts, this solution may not resolve your issue.

3. If you then receive another error stating "no matching cipher found. Their offer: aes256-cbc,3des-cbc,blowfish-cbc,arcfour" add one of the ciphers offered to your SSH command and try again. Otherwise, skip to step 4:

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc apc@IP_OF_DEVICE

4. You should now be able to SSH into the device. If successful, create an SSH configuration file named config with no file extension in your user folder $HOME\.ssh. This example assumes you are using Windows, but the process is similar on Linux:

Host IP_OF_DEVICE
    KexAlgorithms +diffie-hellman-group1-sha1
    Ciphers aes256-cbc

NOTE: Ensure the file has no file extension; otherwise, SSH will not recognize it. To confirm, open a terminal in the .ssh folder and list the files using ls or dir, depending on your OS.

5. Open a new terminal and try to SSH into the device without using any command line arguments. If your SSH configuration file is recognized, you should be able to connect without specifying additional options. If successful, proceed to step 6. If not, further troubleshooting is required:

ssh apc@IP_OF_DEVICE

6. With SSH now automatically using these options for your device, try the firmware update utility again. You should now be able to update the firmware.

7. After updating the firmware, it is highly recommended that you remove the SSH configuration for this device by deleting the SSH configuration options or file you created in the steps above. If you decide not to remove this, you will continue using outdated ciphers and key exchange algorithms, which pose a security concern.

8. The new firmware should now accept the default secure key exchange algorithms and ciphers. To test this, try to SSH into the device again using the standard command with the custom options for this device removed from the SSH configuration file:

ssh apc@IP_OF_DEVICE

NOTE: If you still encounter key exchange or cipher errors, the device will still require the custom SSH configuration options until another firmware update adds support for them.

I hope this helps someone else who encounters a similarly outdated APC unit.