Release Letter Prducts: H.264 Firmware fr CPP7 HD/MP cameras Versin: 6.60.0065 This letter cntains latest infrmatin abut the abve mentined firmware versin. 1 General This firmware release is a feature release based n FW 6.51.0028. It is an upgrade fr CPP7 based cameras nly. Changes since last release FW 6.51.0028 are marked in blue. 1 f 24
2 Applicable prducts: DINION IP starlight 6000 DINION IP starlight 7000 FLEXIDOME IP starlight 6000 FLEXIDOME IP starlight 7000 DINION IP thermal 8000 2 f 24
3 Imprtant ntes: 3.1 Tw-factr authenticated firmware signature The security f the signature f the firmware file has been strengthened by using a tw-factr authenticatin prcess fr signing the final firmware file. This new prcess has been prepared fr with firmware 6.50 and cmes int effect with succeeding versins. The new signature prtects frm nn-released versins being installed in prductive systems. As a result, pre-release (beta) versins, required smetimes in prjects, need t have a special license installed prir t the firmware update. Requests fr pre-release versins need t be handled via tech supprt tickets in rder t allw tracking and require a cncessin signed by the custmer. In case a firmware must be dwngraded frm a device with firmware 6.51 r higher installed, the dwngrade is nly pssible via firmware 6.50 with an updated signature. Please cntact ur custmer service r technical supprt t get a link t this firmware. 3.2 Firmware file encryptin In rder t uplad versin 6.51 t a device running a firmware versin belw 6.50, yu need t upgrade first t versin 6.50, since lder firmware versins d nt supprt firmware file decryptin. 3.3 Originally manufactured certificate Since firmware versin 6.30 all cameras are prepared t receive a unique Bsch certificate during prductin, assigned and enrlled by Escrypt LRA. These certificates prve that every device is an riginal Bsch-manufactured and untampered unit. Escrypt is a Bsch-wned cmpany, prviding a public certificate authrity (CA). Enrllment f the certificates in prductin is asynchrnus t this firmware release. 3.4 File System Intrductin Due t an internal file system being intrduced since firmware 6.1x and architectural changes theref, an upgrade t firmware 6.20 and higher is nly pssible frm firmware 6.1x versins r higher. Cameras with previus firmware versins belw 6.1x first need t upgrade t firmware 6.1x. 3.5 TPM All CPP7 devices incrprate a Trusted Platfrm Mdule (TPM) with wn firmware. This TPM hardware and firmware have been enhanced ver time t allw fr additinal security features. Due t security reasns, the firmware r functinality f the TPM cannt be altered in the field. Thus, nt all new security features becme available n devices with lder TPM hardware r firmware revisins. 3 f 24
4 New Features Security Sftware sealing is extended t cver mre static parameters f image pre-prcessing and mving camera cntrl. Manual and autmatic lgut functinality added t the web brwser interface: A Lgut buttn is available in the blue navigatin bar between Links and help icn. A timeut in minutes fr the brwser sessin can be defined via the Web Interface -> Live functins menu. Enhancements fr Alarm Task Scripting: A seal break event can be used t trigger alarm task scripts. An SD card lifespan alarm can be used t trigger alarm task scripts. Enhancements fr SNMP: A seal break event can trigger an SNMP trap. ONVIF An SD card lifespan alarm can trigger an SNMP trap. An event frm the Embedded Lgin Firewall can trigger an SNMP trap. Signalling f idle bject is added t the ONVIF metadata stream. Miscellaneus Genetec Stratcast clud is supprted. 5MP cameras received a 3 MP dwnscale reslutin ptin. Supprt added fr inverting lenses, especially Bsch LVF-5005C-S1803, fr DINION IP 6000/7000 and FLEXIDOME IP 6000/7000. IGMPv3 enhancements t supprt surce-specific multicast (SSM) scenaris. VCA An bject that triggered an alarm is marked accrdingly and displayed in range clr fr a shrt perid t allw easier visual detectin. Fr details n enhancements and changes in Intelligent Vide Analytics and Essential Vide Analytics, please refer t the separate release ntes. 4 f 24
5 Changes An issue in a multipathing scenari, where during start-up 802.1x EAP/TLS caused iscsi recrding t use the alternative path, is fixed. An issue where the ONVIF metadata stream ccasinally stpped is fixed. Remte recrding n CPP-ENC devices is fixed but requires CPP-ENC devices t run FW 5.97.10 r higher because f the recently added security features, which impact RCP+ cmmunicatin and passwrd handling. The default use f 1024 bit RSA keys fr self-signed certificate generatin is limited t cameras with lder hardware that wuld require time-extensive 2048 bit key generatin in sftware. On all cameras with hardware acceleratin a minimum length f 2048 bit is used fr RSA keys by default. Certificates with 2048 bit keys can be used n all cameras. 6 System Requirements Web Brwsers: Micrsft Internet Explrer 11 r higher Mzilla Firefx DirectX 11 MPEG-ActiveX 6.13 r newer Cnfiguratin Manager 6.01 r newer 5 f 24
7 Restrictins; Knwn Issues User Interface If UAC is set t default in Windws 7, n snapsht r recrding via LIVE page is pssible. Vide and audi may be asynchrnus during replay via Web page. In Firefx, n audi is audible n the Audi Settings page. Opera mini fr mbile devices cannt wrk in Intranets because it gets all pages thrugh an pera prxy in the Internet. If there is n Internet cnnectin n cntent is prvided. When changing GUI language, the brwser cache may have t be deleted and the web brwser be reladed befre the language will be selected crrectly. IE10 by default des nt allw snapshts r recrding frm the LIVE page n lcal hard disk until ne f the fllwing actins is perfrmed: - uncheck the bx "Enable Prtected Mde" in internet ptins/security - add the device s IP range t "Lcal intranet" zne - add the device s IP address t the trusted sites - start IE as administratr If an intranet site is pened, IE10 autmatically runs in cmpatibility mde. This leads t a misbehaviur that n timeline is shwn n the PLAYBACK page. Therefre the functin "Display intranet sites in Cmpatibility View" must be disabled. Fluent decding f buffered.mp4 vide frm camera is strngly dependent n the brwser, Jerky vide may ccur, e.g. with Mzilla Firefx 52.0, which is nt a camera malfunctin. Shutter time values in preview windw might slightly deviate frm runded values selectable frm drpdwn menu. Encding Only H.264 Main Prfile using CABAC is supprted. CAVLC is nt supprted. Frame rates in lw light mde might vary and cause bit rate cntrl t prduce higher bit rates than set as maximum. Aspect ratis 16:9 and 4:3 are nt cmbinable. Aspect rati frm stream 1 will lead. With GOP structure set t IBP and IBBP the I-frame distance may nt exactly crrespnd with the set value. Fr stream setting Dual ROI the maximum reslutin f stream 2 is 432p regardless f a higher reslutin selected in the encder prfile. If bit rate is already reaching maximum level due t image cntent t be encded, encder quality regins with setting bject cannt be imprved fr quality anymre and differences will gradually be reduced. 6 f 24
Security When using certificates fr mutual authenticatin, it must be ensured that the camera uses a slid and trusted time base. In case the time differs t much frm the actual time, a client might be lcked ut. Then, nly a factry default will recver access t the camera. Underscre character ( _ ) and blank space are nt allwed in cmmn name in certificates. Excessive signing, e.g. due t very shrt vide authenticatin signing interval, may have an impact n TLS cnnectin setup. Client authenticatin is nt wrking using Micrsft Edge as the brwser des nt send any certificate fr client authenticatin, s the camera has nthing t authenticate. Vide authenticatin using SHA hashing mechanisms are nt functinal if n self-signed certificate has been created yet. Opening an HTTPS cnnectin nce is prerequisite. Creating 2048 bit keys fr self-signed certificates may take mre than 20 secnds, extending the initial bt cycle, which may ccasinally cause a timeut n the very first HTTPS cnnectin t a camera. The next cnnectin attempt typically is successful. If sftware sealing is active and SNMP is disabled in Netwrk -> Netwrk Services, n SNMP trap will be sent ut n seal break due t the disabled service. The seal break itself is lgged. Netwrk QS values are set accrding t grup Vide/Audi/Cntrl fr UDP packets, but fr TCP packets, nly the QS value fr Vide is inserted. IP addresses 172.20.1.0/30 which include 172.20.1.0 t 172.20.1.3 are reserved fr internal cmmunicatin and must nt be used as device addresses. Prducts withut internal cmmunicatin ignre this restrictin and allw the use f this range. Link-lcal addresses frm the Aut-IP range (169.254.1.0/16) must nt be entered manually. Rebt will nt be perfrmed autmatically after uplading a SSL certificate r SSL key; must be dne manually. 7 f 24
Image Prcessing Fr ptimal image perfrmance the user is advised nt t turn ff cntrast enhancement during nrmal camera peratin. In cases where the camera is cnfigured t d very little nise filtering (far lwer than default settings f the camera), in a lw-light scene the bit rate needed fr encding the unfiltered, lw-nise image is high. If the target and maximum encding bit rate values d nt match this bit rate requirement, blckiness r stuttering images may result. On these ccasins please apply strnger tempral r spatial filtering and/r reduce sharpness. ROI PTZ cmbined with IDNR enabled may blur image when n mtin is present in the scene. When the camera runs in HDR mde, the analg utput menu cannt be used by pressing the lcal menu buttn. In this mde, pressing the menu buttn n the camera will switch n the analg utput, pressing it nce again will switch the analg utput ff. Aspect rati and zm and fcus changes can nly be dne via IP in the FW cnfiguratin. 4:3 analg utput mde is nt pssible in cmbinatin with HDR. IVA IVA and flw need at least 12.5 frames per secnd vide input frame rate. If IVA r Flw are cnfigured, minimum frame rate f 12.5 must be set in ALC mde. There is nly ne cnfiguratin fr IVA. When analysis type is changed, e.g. frm IVA t IVA Flw, the frmer cnfiguratin is lst. Due t this, it is nt pssible t change the analysis type in a VCA prfile switch. If a VCA cnfiguratin using a rule engine is switched t a VCA cnfiguratin withut using a rule engine, e.g. MOTION+ r IVA default cnfiguratin, the saved cnfiguratin is invalid. Frensic search with this cnfiguratin may lead t undesired search results. Due t a limitatin f the script language that is used in the backgrund, the delay timer fr event-triggered VCA starts immediately when the cnfiguratin is set. A trigger event during this perid des nt restart the timer. Once the timer has elapsed, peratin is as desired. On devices with VCA FPGA an utging IPv6 cnnectin fails when device is initiatr, e.g. trying t reslve a time server dmain name, After firmware upgrade t versin 6.10 the minimum bject size seems being reset when editing 'mtin in field' task. As a prpsed wrkarund check minimum bject size and crrect value as applicable. MOTION+ An alarm recrding cnfigured t be triggered by MOTION+ with masks may nt be peratinal after rebt. Saving MOTION+ cnfiguratin withut any changes recvers frm that. Alternatively masks may nt be used with MOTION+. 8 f 24
Recrding VRM versin 2.12 r higher is required. In sme cases frmatting errrs n external iscsi drives may ccur, which might need multiple tries t vercme. In rare cases it may happen that the wner f an iscsi LUN is nt displayed crrectly. Recrding is nt affected, just previus wner remains displayed. If a device had primary and secndary recrding running n SD card and is then added t a VRM system, the blcks used fr primary recrding will nt be re-used, reducing the available recrding space fr the ANR recrding. This can be slved by re-frmatting the SD card. Thrughput limit fr simultaneus recrding and lcal replay at 100% playback speed is: maximum ttal recrding bit rate f 7 Mbps fr external iscsi recrding maximum ttal recrding bit rate f 10 Mbps fr SD card recrding, depending n SD card perfrmance SD card recrding perfrmance is highly dependent n the speed (class) and perfrmance f the SD card. With I-frame-nly recrding and audi als enabled fr recrding, audi will be fragmented r nt audible during replay. Please disable audi recrding in case f I-frame-nly recrding. Numbering f the recrded files n the replay page is nt always cntiguus. If snippets acrss blck brders belng tgether, like pre-alarm and alarm recrding, the snippets becme lgically united and nly the lwer file number is presented in the list. SDXC cards are frmatted t FAT32 file system and nt using the exfat file system as being mandatry fr SDXC standard cmpliance but fully recgnized and accessible. The maximum size f 2TB is als supprted with FAT32, nce SD cards f that size might becme available. FAT32 als increases prtability t ther than Windws platfrms. If a lcal media is exchanged, existing frmer recrdings are nly discvered after rebting the device. Physically remving the lcal strage media while recrding causes the device t rebt. Recrding must be stpped befre remval. Changing audi frmat while audi is being recrded may cause unknwn behaviur f the device and must be avided. 5MP and larger JPEG streaming via RTSP is nly pssible with decders supprting the ONVIF extensins. JPEG streaming via RTSP is based n RFC 2435. This RFC nly allws fr a maximum JPEG size f 2048 by 2048. With ONVIF, the riginal, larger JPEG headers can als be transmitted via RTP header extensins. Unfrtunately, this nly wrks with decders using these extensins, i.e. it des nt wrk with a standard VLC. The strage system indicatr status must be ignred during frmatting f an SD card. Frcing the camera int an verlad situatin may cause undesired behaviur and in wrst cases even recrding gaps. It shuld always be ensured that the CPU lad is nt cnsistently 9 f 24
arund r at its maximum. This can be achieved by adapting encder settings r aviding t many tasks, e.g. client sessins, in parallel. Triggered recrding (backup) tasks in buffered recrding cnfiguratin are nt persistent ver a pwer cycle. Pending backups t central recrding will be lst when a device rebts. When lcal SD-card recrding is active, bth live Stream1 and the recrded stream will use Encder Prfile parameters f Prfile 3. The default prfile 3 parameters may in certain cnditins lead t encding artefacts in the recrded stream and live Stream1. In this case, cnsider the fllwing changes: Lwer the reslutin, lwer the frame rate, lwer the sharpness and/r raise tempral/spatial filtering. Physically remving the lcal strage media while recrding causes the device t rebt. Recrding must be stpped befre remval. Spradically ccurring incrrect time zne inf in recrding packets may lead t gaps displayed in the playback timeline. The vide ftage within the gap cannt be replayed but becmes accessible via exprting the affected perid. This may happen with firmware 6.32 belw built 111. Remte recrding is nt wrking with actual firmware n devices running FW 5.5x r lder because f the recently added security features, which impact RCP+ cmmunicatin and passwrd handling. Exprt FTP exprted files which include audi in a frmat ther than AAC must be renamed frm.mp4 t.m4a t allw crrect playback in QuickTime. With JPEG Psting active when device is bting, the first psted JPEG image may be a ncam lg. FTP psting with reslutin 1080p delivers JPEG with size f 1920x1072 pixels due t 16 pixel macrblck bundary f the JPEG encder. If FTP exprt files cntain nly a few frames sme players might nt crrectly replay such a file, r the replay is t quick t recgnize smething. The exprted file is nt crrupt thugh it might seem s. Files exprted using cntinuus FTP backup fr Rec. 2 where stream 2 is set t I-frames nly mde cntain wrng timing infrmatin and play back t fast. After mdifying accunt settings, e.g. FTP server address, t get the changes applied either switching psting ff and n r restarting the device is required. FTP exprt file size is always 100 MB if reslutin change ccurred in exprted time span. Getting the file list frm Drpbx may fail if there are t many bjects (files and flders). Limit is apprximately higher than 500 bjects but als dependent n file name length etc. 10 f 24
Miscellaneus The camera date/time will be set t default (Year 2000) after pwer lss exceeding the buffer perid. It is imprtant t ensure that the date/time is crrect fr recrding. An incrrect date/time setting culd prevent frm crrect recrding. After rebt, the system time re-synchrnisatin may be delayed up t 9 secnds fr SNTP respectively up t 14 secnds fr time server prtcl. AAC audi timestamps fr UDP live vide streams as well as fr recrding streams are based n 90 khz instead f 16 khz t ensure cmpatibility with Vide SDK. AAC audi timestamps fr TCP live vide streams are based n the standard 16 khz timestamps. Standard players shuld cnnect t live vide with AAC audi using TCP. After changing the selectable camera mde via alarm input the switch back t a previus mde desn't wrk anymre. Firmware uplad stps recrding when it fails r is terminated. After a firmware uplad it may happen that the Privacy Masks and settings frm Installer Menu are set t default. Make sure t check if Privacy Masks and Installer Menu settings are still valid after uplading new firmware. After dwngrade cnfiguratin integrity cannt be ensured and settings need t be checked r re-cnfigured. Smetimes even a factry default might be required, which is anyway recmmended after a firmware dwngrade. When a cnfiguratin file is laded t an incmpatible camera, e.g. a cnfiguratin file frm a HD camera laded nt a VGA camera, encder settings might becme invalid and need t be re-cnfigured. Uplading a cnfiguratin file frm a different camera platfrm may result in unpredictable behaviur. If it shall be checked if the image is nt frzen, use millisecnds timestamp t verify. After changing the applicatin variant in the Installer menu, the camera rebts and starts cunting dwn time until it tries t recnnect t the rebted camera, IE desn't always recnnect s it keeps shwing nly the waiting circle (named hurglass in earlier times) In this case resetting the brwser with ctrl+f5 will re-establish cnnectin with the camera.. Please take nte that, whenever yu change the applicatin variant, the camera resets t factry defaults. Analgue utput des nt supprt 90 and 270 rtatin. Maintenance lg file creatin and dwnlad requires sme time, thugh there is n prgress indicatin, and needs t be waited fr cmpletin. Millisecnd stamping n 60 fps cameras is refreshed with 30 Hz nly, updating nly every secnd frame. JPEGs with VCA verlay are nt fully synchrnized. Shapes might be slightly ff. 11 f 24
DIVAR IP 2000 / 5000 Due t its imprved security features, firmware 6.4 is nt fully backward cmpatible with DIVAR IP 2000 and DIVAR IP 5000. Upgrading cameras t FW 6.4 withut t-be-released firmware upgrades fr DIVAR IP 2000 and DIVAR IP 5000 may cause cnfiguratin prblems and pssibly stp recrding. DIVAR hybrid / netwrk Cameras running FW 6.4 are nly cmpatible with DIVAR netwrk / hybrid FW 1.2.1 and higher. With earlier DIVAR netwrk / hybrid firmware versins, the I-frame distance needs t be adapted t 30 r less. Please check the respective release letter f a camera fr further device-specific restrictins. 12 f 24
8 Previus Revisins 8.1 Changes with 6.51.0028 This versin includes a fix fr a recently discvered security vulnerability. The vulnerability ptentially allws the unauthrized executin f cde n the device via the netwrk interface. Bsch rates this vulnerability at 9.4 (Critical) and recmmends custmers t upgrade devices with updated firmware versins. Fr detailed infrmatin please refer t the published Security Advisry BOSCH 2018 1202 BT. 8.2 Changes with 6.51.0026 Passwrd reset mechanism changed Clearing passwrds f all three legacy users was changed t nly reset/change the passwrd fr the user 'service' t 'service', while passwrds f all ther users including 'live' and 'user' as well as ther service users stay unchanged. The user can then lgn t the camera using user 'service' with passwrd 'service'. He shuld then change the passwrd fr the service user again. 13 f 24
8.3 New Features with 6.50.0128 Image pre-prcessing enhancements n DINION IP starlight 6000/7000 and FLEXIDOME IP starlight 6000/7000 A user slider t tune the maximum gain allwance is added A new scene mde is nw available fr ptimized License Plate Recgnitin (LPR) (nly fr DINION IP starlight 6000/7000) Intelligent Streaming enhancements Statistics pages have been added fr live and recrding streams. These prvide guidance fr ptimally adjust bitrate and quality settings, and make judgement n averaging easier in rder t ptimize strage cnsumptin. Intelligent Streaming cnfiguratin parameters in encder prfiles are nw gruped. Highly reliable SD card recrding with life cycle mnitring Industrial SD cards which prvide wear level data can be mnitred fr their health and expected lifetime, prviding much mre reliable SD card recrding. Three vendrs have been tested and qualified: Sny SanDisk Micrn Due t the high dynamic in the SD card market, n direct reference t the mdels is given. Latest Industrial SD cards frm all three vendrs supprt this feature. ONVIF Prfile T is nw supprted Current gain value is visualized in vide preview windw. The ID ut f the best face detectin is attached t the JPEG filename when psted via FTP and als added t the metadata stream t allw searching. SNI supprt has been added t imprve lad-balancing fr clud-based slutins. 14 f 24
Security features Sftware Sealing The camera cnfiguratin can be sealed nce it shuld nt be changed anymre. Any change f the sealing status and any change t static cnfiguratin, accidentally r intentinal, will break the seal, creating an alarm message that can be used by the vide management system t launch an apprpriate alarm scenari. All mdificatins affecting the sealing status are lgged separately. Firmware files are nw encrypted. Files received via HTTP uplad are checked fr crrect size. "Secure renegtiatin" is signalled in TLS. In case f certificate user authenticatin, the clck base is re-adjusted, e.g. after battery lss. 8.4 Changes with 6.44.0020 Cipher suites were enhanced by TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256. An issue with simultaneus multicast streams, intrduced with FW 6.43, has been fixed. An issue with ONVIF SetImageSettings, where incrrect settings culd be applied when an unsupprted namespace was used, has been fixed. An issue with ONVIF IVA messages suspended, when mre than ne IVA rule was cnfigured, has been fixed. An issue with VCA calibratin lst after image rtatin has been fixed. An issue with EAP-TLS certificates with CRL extensin, intermittently prhibiting authenticatin, has been fixed. An issue with panramic cameras, where pre-psitins culd nt be set in the web interface when in n-bard dewarping mde, has been fixed. Varius smaller issues have been fixed. 15 f 24
8.5 New Features with FW 6.43.0027 A pssibility t increase the Pwer-ver-Ethernet (PE) demand signalled via LLDP has been added. This may help t ptimize the pwer management n switches and e.g. als eases t use the cameras in utdr husings with PE-pwered heating systems. IGMP versin can nw be set t a specific versin. Autmatic detectin is still default. 8.6 Changes with FW 6.43.0027 After updating t firmware versin 6.43, users will be able t take advantage frm bsted perfrmance and enhanced image quality f DINION IP starlight 6000 / 7000 and FLEXIDOME IP starlight 6000 / 7000: Overall imprved cntrast and sharpness Strnger sharpening in the detailed znes f the image Retuned the balance between mtin blur and image nise in bth base mdes (Starlight and HDR Extended Dynamic mde). This generally reduces visible mtin blur fr mving bjects, especially in dark scenes. Imprved blending f multiple expsures in HDR mde, especially in scenes with mving bjects In additin t the starlight mde, the default shutter functin in the ALC menu is nw als available in HDR Extended Dynamic mde Imprvements n Multipathing supprt fr strage devices. Varius smaller issues have been fixed. Nte: Due t imprved image tuning in this firmware versin, the behavir f varius image enhancement sliders can be different than in lder FW releases. Therefre it is recmmended t perfrm a Restre Mde Defaults after the firmware update is finished in rder t get the best perfrmance. This buttn can be fund under: Cnfiguratin -> Camera -> Scene Mde. This can be dne fr each scene mde individually. If yu want t reset all scene mdes, then it is recmmended t perfrm a factry default. 16 f 24
8.7 Changes with FW 6.42.0021 Strnger user name and passwrd plicy is enfrced. The fllwing rules apply: User names must be at least five (5) characters lng. User name and passwrd must nt be identical. A passwrd must cnsist f minimum eight (8) characters. A passwrd must cntain bth upper-case and lwer-case letters. A passwrd must include ne r mre numerical digits. A passwrd must include at least ne f these special characters:!? " # $ % ( ) { } [ ] * + - =., ; ^ _ ~ \ Other special characters (like space @ : < > ' & etc.) are nt supprted. Multicast discvery prt is nw cnfigurable via brwser interface. An issue where spradically n vide was shwn after pwer cycle has been fixed. An issue where Autmatic Netwrk Replenishment ANR failed when SD card is brken has been fixed. Imprved behaviural respnse n denial f service attacks. Varius ONVIF cmmunicatin issues have been fixed. Varius smaller issues have been fixed. 8.8 Changes with FW 6.41.0037 Varius smaller issues have been fixed. 17 f 24
8.9 Features with FW 6.40.0240 Intelligent Streaming Intelligent Streaming is a cmbinatin f features and functins t ptimize bitrate cnsumptin f recrded vide. It benefits frm imprved nise reductin in still areas f the image, an average nise level cmmunicated t the encder, larger GOP size, strng use f predictin in case f B slices, and dynamic tuning f quantizatin parameters (QP) in the encder. The strength f the bitrate ptimizatin can be set via 5 levels. Savings can be up t 80% but are strngly scene-dependent. Intelligent Streaming is enabled by default in medium setting. Security Passwrd enfrcement New cameras with this firmware installed will nly becme perable after the passwrd fr the administratin level (user service ) has been assigned. Other users user and live will nly becme accessible after the administratr assigned passwrds t them. Cameras which are updated t this firmware frm a versin lwer than 6.40 will nt change their behaviur and remain at their frmer prtectin level unless reset t factry defaults. Signed firmware file enfrcement Only Bsch-signed firmware will be accepted by the camera withut cmprmises. A dwngrade t a nn-signed firmware is nt pssible anymre. Data encryptin n iscsi strages The paylad n an iscsi drive is encrypted using a symmetric XTS encryptin scheme (blck encryptin). The camera uses a number f public keys t asymmetrically encrypt the XTS key fr multiple receivers. These public keys are maintained in the certificate stre via certificates. Usage can be defined as fr recrding1 and/r recrding2. Paylad encryptin is pssible n SD cards as well as n external iscsi strage. A client that shall be allwed t replay this ftage must have its cert/key registered and activated. The Vide Recrding Manager (VRM) may als be a receiver t decrypt the paylad data fr replay. SRTP paylad encryptin fr live and replay SRTP prvides paylad encryptin f UDP streams via TLS, similar t what HTTPS des by using TLS fr TCP streams. Als encrypted multicast cnnectins are pssible. 18 f 24
SNMPv3 supprt New alternative SNMP supprt prvides encryptin and authenticatin. This new service will prvide pure MIB-II access. Legacy functins, like NTCIP supprt r mapping f dedicated RCP cmmands t SNMP Enterprise MIB ndes, are nly prvided with existing SNMPv1 implementatin. Certificate revcatin list (CRL) supprt T imprve usability and prvide a mre cmpact verview, the web user interface fr the certificate stre has been updated. It nw allws direct tagging f certificates fr usages. The frmer split int tw areas (Files and Usage) is remved. Strnger encryptin and passwrd prtectin fr cnfiguratin file The cnfiguratin file is encrypted and passwrd-prtected befre dwnlad. The user as the wner f this cnfiguratin file is prmpted fr the passwrd. The passwrd is required when the cnfiguratin file is upladed t a camera. The cnfiguratin file is encrypted using standard mechanisms but nt intended t be pened r mdified by the user, thus the encryptin key itself is kept internal and nt expsed. Strnger encryptin fr maintenance lg file The maintenance lg file as being used in tech supprt cases is encrypted with a Bsch public key. Only tech supprt staff is authrized t decrypt and pen the file. The minimum TLS versin can be defined, e.g. t avid vulnerabilities frm TLS 1.0 and 1.1. The Telnet cnsle has been cmpletely remved and is substituted by a new lgging facility prviding: A mre structured utput including timestamp, severity and mdule surces Search and filtering fr specific events via web user interface Direct utput t a syslg server Cnfiguratin t prduce similar debug printuts fr tech supprt as previusly Cnslidatin f running services, visualized n new page Netwrk Services. Only thse services (HTTP, HTTPS, RTSP, RCP, iscsi, NTP, discvery, ONVIF discvery) are running which are required fr activated functinality. All ther services (FTP, SNMP, UPnP, GB/T 28181) and their respective prts are deactivated. The passwrd unlck functinality (supprt recvery ptin) can be disabled. CHAVE cameras Multiple trusted issuers are nw allwed fr client certificate authenticatin. An ptin t nt wipe the SXI certificate when a factry default is issued has been added. 19 f 24
Imaging Imprved nise filtering in still scenes. VCA Fr details n VCA 6.40 please refer t the separate release ntes f Essential Vide Analytics r Intelligent Vide Analytics. ONVIF ONVIF manual iris and fcus cntrls added. Feature cverage f the ONVIF metadata stream has been extended t include e.g. bject classes, bject shape plygns, faces, flame and smke detectin inf. Prfile G supprt Recrding start and cntrl has been added. Recrding search and replay functinality has been added. Tested with ONVIF Device Test Tl 16.07 SR2 rev. 617. Miscellaneus SMTP prt is nw cnfigurable via web interface. Multipathing supprt fr strage devices. User name frm certificate fr EAP-TLS is used as EAP identity, if prvided. Dynamically clred privacy masks, depending n surrunding vide added. This can be used t nt distract the peratr due t intense clr, e.g. white privacy mask in night scene. Cameras can cnnect t the CBS Remte Prtal installer service. New illuminatrs fr MIC 7000 are supprted. Intelligent Aut Expsure (IAE) has been extended t cameras withut FPGA. An event playback buttn has been added t the Live page t allw a quick playback f the last event in case there was an incident and the camera was cnnected remtely t check what happened instead f checking live and then g t the playback page. Default device date is set t firmware build time in case f invalid RTC time t avid lck-ut in case f certificate-based authenticatin. Drpbx API has been updated. The API used befre was ging bslete n June 28 th, 2017. 8.10 Changes with FW 6.40.0240 Installatin Cde has been enhanced with a blck fr crypt-cprcessr versin indicatrs. The length f the Installatin Cde has been extended t 48 digits instead f nly 44 digits. Imprved certificate parser t supprt mre attributes used e.g. by varius mail prviders. 20 f 24
8.11 Features with FW 6.32.0111 Imaging Settings fr maximum gain cntrl have been added. Thermal Imaging Supprt f up t 640x480 pixels (VGA) thermal image. False Clr Mapping selectable frm a range f templates. Flat Field Crrectin (FFC) is synchrnized with vide analytics. Refer t the release letter f DINION IP thermal 8000 fr a cmprehensive feature verview. Security Strengthened passwrd plicy: New passwrds must nw be a minimum f 8 characters including special characters. Passwrds are cntinuusly demanded; message cannt be hidden anymre. Fr full supprt f HSTS, an ptin HSTS plus HTTP redirectin has been added. Fallback t TLS 1.0 can be disabled. VCA JPEG with VCA verlay is nw als available in full screen view. Analytics algrithms have been ptimized t supprt thermal images. Fr details n VCA 6.30 please refer t the release ntes f Essential Vide Analytics r Intelligent Vide Analytics. Miscellaneus Imprved user interface fr 802.1x settings. Interface shws an EAP-MD5 passwrd field and lists the EAP-TLS certificates with a link t the certificate stre. Security cprcessr (TPM) versin is listed in system verview. Prepsitin widget n Live page can be cmpletely disabled in Web appearance settings. 21 f 24
8.12 Changes Limited frame rate stream capability names are presenting the frame rate as skip value, which is used as divisr in relatin t the base frame rate. A value skip 5 results e.g. in 12 fps if base frame rate is set t 60 fps, r in 5 fps if base frame rate is set t 25 fps. In preparatin fr ONVIF Prfile Q supprt, planned fr next majr firmware release, the default setting fr Autmatic IPv4 address assignment has changed frm On t On plus Link-Lcal, a setting that had already been in the ptin list befre. Thugh this might seem a small change, it may have an impact: The frmer default IP address 192.168.0.1 will virtually becme bslete. Instead, the camera will assign itself an aut-ip address ut f the range 169.254.1.0 t 169.254.254.255 as lng as there is n ther IP address assigned by a DHCP server. (https://en.wikipedia.rg/wiki/link-lcal_address) The advantage is that there are n mre duplicate IP addresses, which is cnsidered prhibited in a netwrk. New tuning f image pre-prcessing has been applied t imprve mtin sharpness and t reduce artifacts. VCA verlays are drawn after scaling t imprve visibility. Fr DINION IP thermal 8000, nn-functinal rtate, flip and mirrr were remved frm web user interface. In additin, sme smaller user interface clean-ups were applied. An issue has been fixed where the maintenance lg culd nt be dwnladed. An issue has been fixed where the wrng SD card recrding status was displayed. A security leak, which allwed t extract critical data frm the device, has been fixed. A prblem with incrrect time zne inf in recrding packets causing gaps in timeline has been fixed. 8.13 New Features with FW 6.30.0140 The feature set f this CPP7 platfrm firmware is aligned with the feature set f CPP4 and CPP6 platfrms. See belw the latest feature additins in relatin t frmer firmware 6.2x and new features specific t CPP7. Fr earlier feature additins please refer t CPP4 r CPP6 release ntes. Imaging Flexible vide input rientatin handling, including mirrr and rtate (90, 180 and 270 ) allws crridr view applicatins using full reslutin. A 1.3 MP crp is available n stream 2 n 1080p variants. Built-in gyr sensr is supprted fr autmatic rientatin detectin. 22 f 24
Security The user management allws free assignment f usernames. Each user can be assigned a user grup representing live, user, r service level. New user management system allws t dynamically create a user fr whm the passwrd can be treated as tken. Als timeut befre user accunt expires is pssible. Tken-based authenticatin implemented t allw user management based n cmmunicatin with Micrsft Active Directry Federatin Services. Secure FTP cnnectin (FTP ver TLS) is implemented. ICMP redirect messages are nt accepted by default. Acceptance can be re-enabled via RCP+ cmmand, if needed. Vide authenticatin is als pssible n RTSP streaming. It can be enabled with CGI parameter auth=1 which requests picture inf packets (paylad type 97). Recrding Recrding t iscsi supprts LUN size up t 64 TB. A PTZ prepsitin can be stred in a recrding prfile, allwing t recrd nly a regin f interest (ROI) f the full image. ONVIF ONVIF encder prfile settings can be verified via http://<ipaddress>/nvif_encder_prfiles. Manual fcus and iris cntrl is supprted via ONVIF cmmand. Tamper detectin alarms are frwarded t and included in ONVIF event services. VCA 6000 series cameras supprt Essential Vide Analytics. 7000 series cameras supprt Intelligent Vide Analytics. Fr details n VCA 6.30 please refer t the release ntes f Essential Vide Analytics r Intelligent Vide Analytics. Miscellaneus HTML5 vide tag is used t display a cntinuus MP4 vide file frm the camera n brwsers nt supprting NPAPI plug-ins (MPEG-ActiveX) like Firefx, Chrme and MS Edge. A Links sectin in the main navigatin (blue tp bar) leads t a DwnladStre page prviding latest tls, apps and supprtive sftware. Unicde characters are als pssible n all cnfiguratin strings. Time server IP address can be accepted t be verwritten by DHCP. 23 f 24
Display f prepsitin widget n Live page can be cnfigured. 8.14 Changes with FW 6.30.0140 Fixed a ptential recrding issue which culd cause recrding t stp due t insufficient strage errr handling under rare errr cnditins, like e.g. massive irregular netwrk cnnectin interrupts t strage system. Fixed an issue with placed/taken bjects generating n alarms within fields. Imprved handling f FPGA bt-up. 24 f 24