release.txt Driver File Contents (

                              Release Notes

                   Broadcom BCM5761 Management Firmware
                 Copyright (c) 2012 Broadcom Corporation
                          All rights reserved.

Version - August 09, 2012
   1. Problem:
      The web server would parse reference method parameters as decimal
      numbers rather than hexadecimal as documented.

      Incorrect parse method used.

      Parse reference method parameters as hexadecimal.

   2. Problem (CQ64887)
      The fix in was incomplete and would end up triggering CTS hangs
      more often.

      While the FIN was set, the next SEQ number was not incremented.  As a
      result, when the remote end ACKed the FIN, the firmware would perceive
      this as an invalid ACK.

      Correctly increment the SEQ number.

Version - July 30, 2012
   1. Problem (CQ40084):
      OMData instances remain even after OMData NVRAM storage is deleted.
      This is a  mis-configuration scenario.

      The CIM_OpaqueManagementDataService and
      CIM_OpaqueManagementDataCapbilities classes were instantiated even if
      there was no OMData storage space allocated.

      Check the total OMData storage space before instantiating the
      CIM_OpaqueManagementDataService and CIM_OpaqueManamentDataCapabilities

   2. Problem:
      Some unicode glyphs not correctly handled in modifiable properties.

      Use of non-unicode string copy function.

      Use a unicode safe copy function for copying all property values.

   3. Problem (CQ64887):
      DASH CTS could hang while testing power control methods.

      CTS does not correctly handle HTTP session tear-down.  As a result,
      lost packets with the FIN flag set will cause an infinite wait.  During
      power state changes, a FIN packet is more likely to be lost due to link

      Include the FIN flag in the last data packet ot ensure that if all
      data is transmitted, the FIN will also be transmitted.

   1. When there are multiple DNS host entries, randomly select an entry to

   2. Remove the extraneous and confusing word "Information" from the values
      of all instances of CIM_SoftwareIdentity.ElementName.

Version - May 14, 2012
   1.  Problem (CQ63296):
       XML Entities parsed with the trailing semicolon left as part of the
       decoded text.

       Incorrect entity length calculation.

       Fix length calculation.

Version - May 9, 2012
   1.  Problem:
       Infinite loop while enumerating association instances with a
       ResultClass specified.

       Bug in association filter enhancement for

       Eliminated infinite loop.

Version - May 3, 2012
   1.  Problem (CQ63064):
       Unable to modify CIM_Account.UserPassword using the Put operation with
       the "new" correct string[] OctetString encoding.

       The OctetString parser did not function correctly when the source and
       destination buffers were the same as in the case of a Put.

       Correctly handle the case where source and destination buffers are the
       same when parsing OctetString values.

   1.  Support subscriptions to an Indication Class as specified in DSP0227
       v1.2.0 section (without Polymorphism support).  This provides
       a generic standards-based way to subscribe to all indications without
       parsing filters and filter collections.  No filtering is supported.

   2.  Assocation filtered enumerations do not need to have their results
       sorted and have duplicates removed as with Associated filtering.  Only
       sort and uniq the latter.  This should speed up partial Pulls of
       association filtered sets.

   3.  Added GetDateTime command as a supported PLDM command in the response
       to GetPLDMCommands request.

Version - March 26, 2012
   1. Problem (CQ61879):
      Data corruption on firmware start leading to firmware crash

      Updated compiler uses different main call stack profile.

      Update build for new stack profile.

   1. Update compiler optimization flags.

Version - March 22, 2012
   1. Problem (CQs 61875 and 61879):
      Data corruption on firmware start leading to firmware crash

      Updated compiler uses different TIMER call stack profile.

      Update build for new stack profile.

    1. Fix warnings from static anaylsis.

Version - March 6, 2012
   1. Problem (CQ 61987):
      Web GUI ForEachAssociation blocks would not match existing instances.

      Optimization of association enumeration resulted in unsupported start
      conditions for filtered instance enumeration.

      Support starting filtered instance enumeration with an association

Version - March 2, 2012
   1. Problem (CQs 61875 and 61879):
      Data corruption on firmware start.

      New compiler version generates code which can corrupt memory structures
      under specific circumstances.

      Compile using old compiler version (no code changes).

Version - February 22, 2012
   1. Problem (CQ 59853):
      Remote power on/off cycle stress testing ends prematurely on a
      particular platform.

      Cause 1:
      Management firmware is not responsive in Vaux due to inability to
      receive management traffic. When management packet is received, no
      interrupt is generated and no packet buffer is used.

      Change 1:
      Firmware detects above condition and generate a GRC reset to reset
      MAC module.

      Cause 2:
      In Vmain, ASF "power off" message can't be sent to the system's
      Remote Control Device due to SMBus controller stuck in StartBusy0 state.
      Change 2:
      Firmware will clear out StartBusy0 state before sending SMBus message.

   2. The "guess system state" feature will no longer, under any condition,
      report the system state as S0 if the "Vmain Present" signal is low.
      Previously, if the firmware thought the host OS/device driver was
      active (present and functioning), this feature would report S0 even if
      Vmain was not preset.

   3. Problem:
      A 0-length SMBIOS structure table stored in the management configuration
      would cause the firmware to crash with a NULL-pointer dereference.

      Improper handling of a 0-length SMBIOS structure table.

      A faux "empty" SMBIOS structure table will be used when the table stored in
      the management configuration record set is of an invalid length (e.g. 0

   4. Problem:
      CIM_PowerSupply.TypeOfRangeSwitching contains 6 (Not Applicable).

      Assumption that only switch-mode power supplies can automatically switch
      based on input voltage.

      Do not check if the power supply (advertised in the SMBIOS structure table)
      is a switching power supply before populating this property value.

   1. Upon firmware exception, the exception handler will re-initialize the
      APE shared memory segment signature, length, and fw_behavior fields to
      ensure that the RxCPU will reset the APE subsystem if it has been
      configured with "Restart APE when hung" enabled. This enhancement is to
      work-around unforeseen conditions where the APE shared memory segment may
      have become corrupted immediately prior to a firmware exception.

   2. Various detected initialization failures will now cause the firmware to
      store a "fw_status" value in the APE shared memory segment with "0xE" in
      the uppermost nibble and then halt the APE CPU.

   3. CIM_RecordLog.OperationalStatus[0] will now contain value of 2 (OK) or
      6 (Error) rather than 0 (Unknown) depending on the state of the
      event/audit log.

   4. Various CIM/WS-Man instance get/enumeration performance improvements.

Version - October 24, 2011
   1. Problem (CQ 59260):
      Incorrect value reported by the CIM_Memory.NumberOfBlocks property.

      Only the first SMBIOS Physical Memory Array (Type 16) structure
      which had a Usage member set to System Memory (3) was used in
      calculating the size of the total system memory to populate the
      CIM_Memory.NumberOfBlocks property for the system.

      Sum the size of all Memory Device (Type 17) structures which
      are associated with any Physical Memory Array (Type 16) structure
      that has a Usage member set to System Memory (3).

   2. Problem:
      Graceful power control operations not supported when using a
      network driver that doesn't support driver state change APE events
      (e.g. tg3 driver v3.93.0).

      would not contain the values: 4, 7, 12, 14, or 15 when the driver
      and brcmMgmtAgent were operational.

      The firmware assumed the operating system was not present/running
      because it never received a "driver loaded" state change event,
      so it would not advertise support for graceful power control operations
      (even though it did know the agent was running).

      When the firmware receives an APE Agent Heartbeat event (i.e. from
      brcmMgmtAgent) it will now assume that the operating system is loaded
      (a prerequisite to running the agent) and advertise via CIM support for
      graceful power control operations.

   1. Map CPU cache associativity values from SMBIOS to CIM mathematically
      rather than by enumeration.  The two have been updated in sync
      historically, so it can be expected they will remain so in the

      New associativity values for new processor types will work without
      a firmware upgrade in the future.

Version - August 8, 2011
   1. CQ 57673:
      When the management firmware (re)initializes the PHY, if the 
      "Enable PHY Auto Powerdown" option (i.e. B57diag->secfg item 37)
      is disabled in NVRAM, the PHY Auto Powerdown feature is disabled.

      Requires RxCPU bootcode v3.80 or later.

Version - August 4, 2011
   1. Problem (CQ 57621):
      Successive attempts to set IsNext property of a CIM_ElementSettingData
      instance (associated with a CIM_BootConfigSetting instance) to the
      same value fails.

      The code for setting the CIM_ElementSettingData.IsNext property value
      toggled the current value rather than checking the value that the
      property was being set to.

      Check the value being assigned to the IsNext property and if it is the
      same as the current value, do nothing.

Version - May 18, 2011
   1. Problem (CQ 55700):
      Kerberos Ticket Parsing Error

      The IF-RELEVENT member of the AF-IF-RELEVENT sequence of the
      AuthorizationData sequence of the Kerberos ticket would not be parsed
      correctly if more than one IF-RELEVENT sequences were present.

      Correctly handle multiple IF-RELEVENT sequences in the AD-IF-RELEVENT

   1. When negotiate authentication is attempted but fails, provide useful
      debugging information in the returned 401 HTML page.

   2. When an Active Directory user does not match any AD Identity SIDs, return
      a 401 error rather than authenticating a valid user with no privileges.

Version - January 14, 2011
   1. Problem (CQ 52005):
      CIM_InstModification Indication delivery failure for

      When a zero-length string property was sent as part of an instance in an
      indication, the content body of the chunked HTTP request was

      Add correct handling of zero-length string properties while sending a
      chunked request.

   2. Problem:
      Resource leak: solicited node multicast groups not left when IPv6
      address changed.

      Multicast group subscriptions created for solicited node multicast
      resolution were left in place when there were no longer any addresses
      covered by the group.

      When an IPv6 address is removed, leave any solicited node multicast
      groups which would no longer be responded to.

   3. Problem:
      Resource leak: empty event queue could grow larger than necessary under
      heavy load.

      No upper bound placed on event queue length.

      Place upper bound on event queue and free any extra entries rather than
      reusing them.

   4. Problem
      Resource leak: failure during multicast address creation could leak

      Some failure cases could theoretically cause memory to not be freed.

      Free all allocated memory in all error cases.

   1. Enhancement request (CQ 51703):
      Add CIM_ProcessorCapabilities instances to model processor cores and 

      Instantiate CIM_ProcessorCapabilities and CIM_ElementCapabilities

   2. Enhancement request (CQ 51879):
      Added support for use of Locally Administered ("soft") MAC address.

      Properties CIM_EthernetPort.PermanentAddress and
      CIM_ComputerSystem.OtherIdentifyingInfo[CIM:MAC] will always reflect
      the permanent MAC address (not the LAA, if one is used).

      Requires Management Agent v1.46.0+.

Version - December 1, 2010
   1. Problem (CQ 51055)
      Firmware becomes unresponsive after testing CIM_PowerManagementService
      methods for extended periods of time (ie: days).

      Slow memory leak when DHCP binds an address to a device while there
      is pressure on the memory pool (eg: unacked TCP packets).

      Fix memory leak when joining the all hosts multicast group with low
      available memory and avoid dynamic allocation when parsing DHCP
      messages where possible.

Version - November 9, 2010
   1. Problem (CQ 50571):
      DASH CTS will hang when exercising CIM_PowerManagementService methods
      with some configurations.

      Fix for CQ 36753 results in an extra loss of link during which the
      firmware closes the connection.  Since CTS never probes the connection
      and has no timeouts, this results in a hang.

      Modify fix for CQ 36753 to upgrade BCM5761 core clock to 62.5MHz in
      order to maintain 1Gb link rather than renegotiating link at 10/100Mb.

Version - October 21, 2010
   1. Problem (CQ 50052):
      ElementCapabilities between IndicationService and
      IndicationServiceCapabilities instances are in the wrong CIM namespace.

      ElementCapabilities class was hard-coded to the default namespace.

      Correctly detect the appropriate namespace of the association.

   2. Problem (CQ 50227):
      Using Text Console Redirection, see redirected text just the first time
      when using a DHCP-assigned dynamic IP address.

      When driver loads before DHCP negotiation is complete, the IP address
      from a firmware DHCP lease is temporarily released before being re-added
      immediately from the OS present lease.  This results in all open sockets
      (in the management controller) being closed despite the fact that the
      configuration is not actually changing (only the lease is changing).

      Check if the new IP address matches the old address and, if it does, do
      not release the old address.

   3. Problem (CQ 50430):
      Receiving "Invalid Response" when disconnecting a text console
      redirection session using DashMgmtCon.

      When the IPv6 address changes, IPv6 is enabled, and IPv6 is preferred
      over IPv4, the old EPRs for the SAP become invalid due to the SystemName
      property (which is the preferred IP address).

      Use a NameFormat of "Other" (rather than "IP") and Name equal to the
      canonical UUID (e.g. 83ec019b-ffc9-11de-bbd8-81a101ee0024).
      When allowed by the CIM schema, NameFormat will be changed to "UUID"
      (in a future firmware release).

   4. Problem (CQ 50353):
      In SMP systems, only the first processor has an EnabledState property
      value of "Enabled" and successive processors have an EnabledState
      property value of "Quiesce", thus violating the DMTF CPU profile
      (DSP1022) requirements and causing a potential DASH CTS test failure.

      The SMBIOS structure tables are generated by the BIOS which runs on only
      a single CPU.  At this time, successive processors are in an Idle state
      and the tables reflect this.  Because of this, the DMTF CPU profile maps
      this SMBIOS data to an EnabledState of Enabled and requires this mapping.

      Map the SMBIOS CPU Idle state to a CIM EnabledState value of "Enabled"
      rather than "Quiesce". This change meets the requirements of the DMTF
      CPU profile (DSP1022).

Version - September 17, 2010
   1. Problem (CQ 47379):
      The CIM_InstCreation that takes 30 seconds to appear when subscribing
      to Indications/Event with an IPv6 address.

      Unexpected FIN behavior in TCP/IP stack.

   2. Problem (CQ 48993):
      CIM_FilterCollection CollectionName and ElementName property values are

      Correct descriptions of filter collections.

   3. Problem (CQ 49301):
      Unable to use default XML namespace for PUT request body.

      Default XML namespace strings were not saved for class URIs.  The class
      was not resolved until later using the saved XML NS URI, so when Default
      XML namespaces defined the class, the firmware was unable to get the
      class name resulting in a fault.

      Store default XML namespaces which contain a CIM class URI.

   4. Problem (CQ 49970):
      Duplicate results in Associated Instance queries.

      Older specifications permitted this behavior so this was by design.

      As per WS-Man 1.1 specification, filter out duplicate results.

   1. Enhancement request (CQ 40008):
      Telnet and SSH Text Console Redirection is unable to work in conjunction
      with Active Directory authentication (i.e. single sign-on).

      Added CIM_SharedCredential which contains a one-shot password which can
      be used for SSH and Telnet authentication.

      The console is expected to enable a SAP, read the credential, then use
      the credential (at which point, the credential ceases to exist).  When
      the console disconnects, a new credential is created which persists
      until the SAP is transitioned to the Disabled state.

   2. Support for PLDM State Sensors:
      PLDM Platform Event Messages received from PLDM State Sensors can now be
      mapped to CIM_AlertIndications (for event log record entries and
      alert indications) by importing a configuration file (e.g. ".ini" file)
      which contains details about the sensor (e.g. sensor-ID), and mappings
      for PLDM eventState to CIM_AlertIndication platform message registry
      values (e.g. OEM state set).

      Optionally, PLDM state sensors may now be modeled as CIM_Sensor
      instances with similarly imported PLDM presentState/eventState to
      CIM_Sensor.CurrentState and PossibleStates values from ".ini" file.

   3. Support for Record Log Profile 2.0.

      Implemented DSP1010 v2.0 requirements for "Standard Message" support:
      * CIM_RecordLogCapabilities instances
      * CIM_LogEntry properties:
        - MessageArguments
        - MessageID
        - OwningEntity
        - PerceivedSeverity

   4. Enhancement request (CQ 49971):
      WinRM -shallow and -basepropertiesonly do not work.

      Added support for additional PolymorphismModes.

   5. Added an "Advanced" manageability flag (bit 31) to allow the disabling
      of TCP resets after socket closes on out-bound HTTP (client)

Version - June 11, 2010
   1. Problem (CQ 48178):
      Changing BRCM_OOBManagementHTTPSSetting.Enabled property from false to 
      true via WS-Management will cause an HTTPS failure.

      Base 64 encoding a zero length buffer resulted in garbage.  Since a PUT
      involves a read/modify/write, the garbage value would then be written
      into NVRAM and used as a CA certificate.

      Do not base 64 encode zero byte buffers.

   2. Problem (CQ 47260):
      Under some unique conditions, WinRM will return an XML Parse Error when
      enumerating CIM_MemberOfCollection.

      Firmware network stack problem recovering from lost TCP packet when
      using selective ACK (SACK) and sending more than 16000 bytes.

      Resolved in network stack update.

Version - May 26, 2010
   1. Problem (CQ 47382):
      Using HTTPS to modify BRCM_OOBManagementHTTPSSetting will cause a HTTP
      Security Error with WinRM.

      A get of an octetstring value over a specific size (about 18 bytes for
      uint8 arrays and about 12 bytes for string arrays) would return a
      corrupted value.

      Fix "get" implementation for octetstring arrays.

        - BRCM_OOBManagementHTTPSSetting.ServerCertificate
        - BRCM_OOBManagementHTTPSSetting.TrustedCACertificate
        - BRCM_OOBManagement8021xSetting.TrustedCACertificate

   2. Problem (CQ 47535):
      Firmware crash when attempting to send TCP or UDP packets when local
      device address is not addressable (e.g. when first enabling manageability
      via BMCC).

      Do not dereference NULL device pointers.

   3. Problem:
      Mapping of SMBIOS "System Cache Type" value of 01h (other) to
      CIM_AssociatedMemory.CacheType value of 1 (other) requires populating
      the OtherCacheType property as well.

      Set the CIM property value to 0 (Unknown) when the cache type is
      reported as "other" (01h) in the system's SMBIOS structure table.

   4. UTF-16 BOM was not being parsed as part of the HTTP request body.  This
      prevented UTF-16BE from working when the BOM was the only indication of
      byte order.

   5. Problem (CQ 47274):
      Ejecting USB Redirection Device in Linux will not terminate the USB
      USB Redirection now informs the host that EJECT is not a valid action on
      the redirected drive. If the OS still performs an eject, the redirection
      will still not terminate.

   6. Problem (CQ 47209):
      USB Redirection device will disappear after 10 minutes in RHEL 5.5.

      USB redirected mass storage device simplified to conform more closely to
      the applicable standards rather than pretending to be a DVD+/-R drive.

   1. The (optional) automatic register repair function will now enable the
      UART PCIe function if it is disabled but UART redirection is enabled
      to work-around NDIS driver bug where it would disable the UART function
      during driver load.

   2. Change USB redirection device productID from 0x5761 to 0x1681.

   3. Enabled two-way authentication via HTTP-digest.

Version - April 23, 2010
   1. Problem (CQ 47291):
      Subscribing to CIM Indications/WS-Events with an IPv6 address causes a
      NULL dereference (and crash).

      IPv6 stack issue when sending on a socket that is not in the connected

      Detect condition do not send on undefined (or NULL) interfaces.
   2. Problem (CQ 47292):
      BRCM_OOBManagement8021xSetting boolean property values have inverted
      logic (e.g. when enabled, the "Enabled" property is false).

   3. Problem (CQ 47248):
      A sleeping Windows system may wake upon receipt of a management packet
      when interesting-packet WoL is enabled in the driver configuration.

      Hardware WoL pattern matching does not take management packets into

      Support WoL interesting packet processing in management firmware.
      Requires NDIS driver v14.2.0.4 or later.

      Windows only.

   1. Immediate graceful power control when using BrcmMgmtAgent for Windows
      v1.42.1 with NDIS driver v14.2.0.4 or later.

   2. Track MCTP over SMBus messages and ASF power control commands that were
      retried and number of times they were retried. Place these statistics
      into APE shared memory to be read and displayed by b57diag (apeinfo -m).

   3. Add work-around for HTTP client compatibility with buggy "SHS" web
      server (invalid range request response). e.g. for USB redirection and
      firmware update support.

Version - April 8, 2010
   1. Updated TLS/SSL and SSH stack.

   2. Count MCTP retries (reported in B57diag v14.08.05 'apeinfo -m' output).

Version - March 19, 2010
   1. Fix NULL dereference when parsing CIM_DateTime invalid period: ".S".

   2. Fix very unlikely NULL dereference in badly formatted XML where the
      default namespace is an embedded instance, no namespace prefix is
      specified and the tag name is not found.
   3. When some profiles are disabled, the privileges associated with those
      profiles could be arbitrarily hidden based on an undefined variable.
   4. Incorrect parsing of { and  style XML entities.

   5. Could not modify BRCM_OOBManagementHTTPSSetting.ServerPrivateKey

   6. Failure to GET an instance of CIM_OrderedComponent.

   7. XML parsing bug: / was taken as an attribute name so the parser was 
      expecting /="value".
      Now, it simply notes the / and continues so <tag /attr="value"> is now
      parsed the same as <tag attr="value"/>.

   8. Event Log CIM_RecordLog.EnabledState=2 (Enabled) when log is full and
      overwrite policy is 7 (Never Overwrites) - does not match DSP1010
      section requirement which states the EnabledState value must
      be 6 (Enabled but Offline) in this case.

   9. Audit Log CIM_RecordLog.EnabledState value will now be 2 (Enabled) and
      3 (Disabled) accordingly, rather than always 5 (Not Applicable).

   10. CIM_LogEntry.RecordData ... AlertingManagedElement:
       As per DSP0004, use a colon to separate the namespace from the class

   1. Updated TCP/IP stack (primarily for IPv4 fixes).

   2. CIM_RecordLog.LogState value will always be 4 (Not Applicable), since we
      don't have an "erasing" state, this property never provides any useful or
      meaningful value, but since it is mandatory, it must be implemented.

Version - February 19, 2010
   1. Problem (CQ 45729):
      Unable to initialize USB Redirection or software (firmware) update
      session when using IPv6 web server.

      Receive management traffic filter for IPv6 address was setup

      Fix receive management traffic filter for IPv6 addresses.

   2. Problem (CQ 45760):
      Firmware hangs when enable/disable IPv6 in Windows Network Properties .

      Three different re-initialization logic errors in IPv6 stack resulting
      in potential memory leaks and crashes due to NULL pointer dereferences.

      Fixed the IPv6 stack re-initialization logic.

   3. Problem (CQ 45822):
      DNS results are not filtered based on if IPv4 or IPv6 is enabled or not.

      DNS server returns both IPv4 and IPv6 addresses for hostname, 
      but firmware did not filter out result based on IPv4/ IPv6 interface

      Filter out disabled IPv4/IPv6 DHCP resolved addresses before applying
      IPv4, IPv6 preference.

   4. Problem:
      Path MTU discovery does not work when OS absent.

      When a TCP connection traverses a segment with an MTU less than the
      transmitted segment size, a large block of IP addresses become
      unreachable for over one minute.

      A typo in Path MTU discovery code resulted in the destination IP address
      being used as a netmask and a value of "32" being used as the next hop
      router.  As a result, all traffic for hosts masked by the destination
      address become unreachable.

      Correct the typo allowing Path MTU discovery to proceed correctly.

   5. Problem:
      Path MTU discovery does not work when OS present.

      No receive filter for ICMP "Destination Unreachable" packets was being

      Create a filter for ICMP "Destination Unreachable" packets to detect
      transmit failures due to path MTU size.

   6. Fix bug where driver revision (if non-zero) would be mistakenly modeled
      in CIM_SoftwareIdentity.BuildNumber for network driver instance.

   1. Default network Maximum Transmission Unit (MTU) size value is now
      configurable (instead of being hard-coded to 1500 bytes).
      This value will be configurable in the "Advanced Settings" menu of
      future versions of B57diag.exe and BMCC.exe. Default value is 1500.

Version - February 3, 2010
   1. Problem (CQ 45168):
      Could not boot to USB-Redirected image on some platforms running
      Windows 7.

      Old SCSI sense data was not cleared after a successful SCSI command.
      Clear old SCSI sense data.

   1. Retry USB-Redirected HTTP "read", to take care of SCSI Read10 failure.
      In case the web server (Abyss) set maximum # of requests 
      that can be served over the same connection, allow retry of request
      and parse response, to open a new connection.

   2. Update advertised registered profile versions to latest errata versions:
      * Physical Asset and Sensors from v1.0.1 to v1.0.2
      * Opaque Management Data and Software Inventory from v1.0.0 to v1.0.1

   3. If ASF SMBus power-up command fails (e.g. is NAK'd), assert PME# to wake
      the system.

      Caveat: Some platforms may not treat this as a remote power-on event and
              may ignore ASF boot options or the normal boot device selection

Version - January 12, 2010

   1. Problem (CQ 45074):
      Text console redirection sessions persist even after the relevant
      service access point (Telnet or SSH SAP) has been disabled. This
      behavior was not consistent with requirements of the DMTF Text Console
      Redirection Profile (DSP1024 1.0.1, section 7.4).

      Misinterpretation of profile requirements.

      Force console redirection session termination when the relevant
      SAP has been disabled by a remote management console.

   2. Problem (CQ 45246):
      BRCM_NetworkTransmitFilterSest.SetDropCount property value is missing
      one count.

      Off-by-one error in transmit packet drop count calculation.

      Add one to transmit packet drop count calculation.
   3. Problem (CQ 38210):
      ASF Power-reset stress will hang BIOS and management firmware on some
      platforms after 12-48 hours.

      A. Firmware crash (bus error) due to accessing invalid TxMbuf or RxMbuf
         due to APE tx and rx pool reinit when GRC reset occur.
      B. Firmware stuck in processing SMBus slave receive ISR.
      C. SMBus data line forced low by other device.

      Implemented work-arounds for the above failure cases.

   4. Fix AvailableRequested[Power]States array values:
      - ComputerSystem and OperatingSystem AvailableRequestedStates arrays did
        not include Quiesce (9) if the system/agent was capable of
        hibernation, but not standby. If either standby or hibernation are
        available, Quiesce is now included in the array. 
        When attempting a RequestStateChange(RequestedState=9), standby
        (sleep) will be attempted if supported/available, otherwise hibernate
        will be attempted if supported/available.
      - If the available agent commands did not include all 4 possible
        commands (e.g. a previous state change request failed in the agent or
        the agent 'commands' command-line argument was used), the array
        elements would contain duplicate and/or invalid values.

   5. Enable SSH sender deadlock protection.

   6. Add 1/10th of a second delay when an SSH send operation returned OK but
      transferred zero bytes (such as when waiting for a window size

   1. (CQ 45242)
      Model CIM_Fan.VariableSpeed property value as TRUE rather than FALSE as
      most, if not all, system fans will be variable speed and we currently
      have no method of knowing which fans are variable speed and which fans
      are not.

   2. Retry ASF_RCTL SMBus commands up to 2 times, for a total of 3 attempts.
      If an ASF SMBus message to the system "remote control device" (e.g.
      chipset) is NAK'ed, the message transmission will be retried for a
      maximum total of 3 attempts. On systems where the remote control device
      may occasionally NAK messages, this makes ASF-based remote power control
      more reliable.

Version - December 11, 2009

   1. Problem (CQ 44737):
      Secure RMCP vulnerability: a malformed "RAKP Message 1" packet received
      with a "User Name Length" field value greater than 16 may corrupt stack
      memory causing the management controller to crash or potentially allow
      an attacker to execute chosen or arbitrary instructions on the
      management controller's processor.

      Insufficient validation of received "RAKP Message 1" packets before

      If the "User Name Length" field value is greater than the maximum length
      allowed by the ASF 2.0 specification, then an "RAKP Message 2" response
      packet is sent with a "Status Code" value of 0x0C (Invalid name length),
      as defined in section of the DMTF ASF 2.0 specification

   2. Problem (CQ 44857):
      Secure RMCP authentication failure when specifying an (optional) user

      "RAKP Message 1" packet parsing had incorrect pointer arithmetic when
      handling non-zero user name lengths, so the calculated Session Integrity
      Key (SIK) was incorrect.

      Fix the pointer arithmetic to allow the user name to be included in the
      Session Integrity Key (SIK) calculation.

   3. Problem:
      "Open Session Response" and "RAKP Message 2" packets generated with a
      non-zero "Status Code" value (indicating an error has occurred) have an
      RMCP data length value of 28 and 52 bytes respectively, instead of 8, 
      as specified in sections and of the ASF 2.0
      The generated and transmitted "Open Session Response" and "RAKP Message
      2" packets were always the full message, regardless of the included 
      "Status Code" value.

      Only transmit the full 6-field, 28 or 52 byte payload when the 
      "Status Code" value is 0 (success).

   4. Problem (CQ 44698):
      802.1x PEAP is unable to Authenticate with Cisco ACS when multiple auth
      methods are enabled.

      When multiple authentication methods are enabled on Cisco ACS, during
      SSL handshake, ACS does not supply root CA cert in server cert chain.
      Management firmware expected CA cert as last cert in server cert chain.

      Retrieve CA certificate from configuration record set (record type 0x91)
      when not supplied by the authenticator.

   5. Problem (CQ 44720):
      CIM_ComputerSystem.EnabledState property value is N/A (5) when the
      system is sleep states (e.g. S3/S4) instead of Quiesce (9), as required
      by the DMTF Base Desktop Mobile Profile (DSP1058).

      CIM_ComputerSystem implementation was based on a pre-1.0 proposed
      profile specification.

      Various system sleep states are now modeled with a CIM_ComputerSystem
      EnabledState value of Quiesce (9).

   6. Problem:
      CIM_NumericSensor.CurrentReading property value would not represent
      PLDM sensors with signed data types correctly.

   7. Problem:
      CIM_ComputerSystem.ElementNameEditSupported is true, but the
      CIM_ComputerSystem.MaxElementNameLen property is not implemented.
      As per DSP1052,, MaxElementNameLen must be implemented if
      ElementNameEditSupported is true.

      Added CIM_ComputerSystem.MaxElementNameLen property.
   8. Problem:
      IP interface not getting IP address after transition from OS-Absent,
      DHCP-enabled and DHCP server is offline to OS-Present, DHCP server is

   1. Added support for initiating an ASF "remote control" SMBus message via
      APE event (e.g. using the new B57diag "apectl -A" command).

   2. Upon firmware exception (crash), useful APE registers are stored in
      shared memory for post-mortem analysis (e.g. using B57diag "apeinfo -m"

   3. When "APE Config" NVRAM content verification fails, a firmware error
      ("CfgVerifyErr") is reported/logged, but the firmware will continue to
      attempt to use the useable configuration records. 
      This works around a problem reported when using BrcmMgmtAgent v1.10 with
      firmware v1.24 where the agent was corrupting the IPv6 config record
      (due to an old BMCFG lib forward compatibility bug) and the firmware
      would ignore subsequent configuration change events (would not attempt
      to use the corrupted config records until an APE reset) and would log a
      firmware error ("CfgRead").

      The management firmware will be more tolerant of corrupted configuration
      records and attempt to continue to operate, as much as possible, with
      the configuration records that are present and not corrupted.
      For example, using BrcmMgmtAgent v1.1.0 with firmware v1.24.0.10 will
      still work for all but the IPv6 capabilities.

   4. Implemented CIM_ComputerSystem.AvailableRequestedStates and 
      CIM_OperatingSystem.AvailableRequestedStates which dynamically reflect
      the RequestStateChange() method RequestedState parameter values that are
      expected to work on the system at that given moment.
   5. CIM_AssociatedPowerManagementService.AvailableRequestedPowerStates
      dynamicism is more granular (e.g. sleep, hibernate, and shutdown
      capabilities of the system/agent are individually checked).

   6. Additional APE debug log messages may be enabled with a new "debug log"
      configuration property (e.g. under new B57diag "mancfg" or BMCC "edit"
      Advanced menu option: Debug Log Enable Flags).

      Only to be used as directed by Broadcom engineers.

   7. Do not model revision and build number for boot code (always 0) in
      CIM_SoftwareIdentity instance.

   8. Added detection of SMBus "stuck" condition, where the data line is low
      for at least 5ms. When this condition is detected, the firmware will
      reset the SMBus by driving the SMBus clock and data line low for 25ms
      and then driving both SMBus clock and data line high.

   9. Additional received RMCP packet validation:
      A. RMCP "Data Length" value must match received packet length,
         adjusted for RMCP and RSP headers and trailers, as appropriate.
      B. RMCP "Data Length" value for received RAKP Message 1 and Message 3
         packets must support the minimal number of fields (and bytes)
         specified in the ASF 2.0 specification.
      C. RAKP Message 1 "User Name Length" must match the received packet
         length, adjusted for other data, as appropriate.
      RMCP packets that fail validation are silently discarded.

   10. Improved tolerance of SSH Server to handle "half-closed" sockets
       (i.e. where client only calls shutdown() and never calls close()).

   11. Improved tolerance of HTTP Server to handle clients that wait forever
       (e.g. for a close) after the HTTP response has been sent and received.

       When a session is terminated with a RST sent from the firmware while
       link is down, the remote peer will not be aware that the socket has
       been closed until it sends another packet to the port (e.g. a 
       keep-alive). If it never sends another packet, it will never be aware
       that the socket has been closed.

       Session was closed with a RST as soon as the last response was sent.
       When the response was sent in reply to a power control request, the
       RST could be lost due to temporary loss of Ethernet link during link
       state (speed) renegotiation.

       Do not send RST until after the remote either closes its end, or the
       HTTP session timeout expires.

Version - November 6, 2009

   1. Problem (CQ 44318):
      Outbound HTTPS connections (e.g. for USB Redirection) using TLS Mutual
      Authentication are unable to authenticate with the web server.

      a) If the server root certificate was not included in the server
         certificate, validation against the CA would fail.
      b) MS IIS performs mutual authentication by reissuing a hello, which was
      c) DNS name mismatch due to bug.

      a) Allow looking up the CA when not included in the certificate.
      b) Enable re-handshake support to permit interoperability with MS IIS.
      c) Place the expected DNS hostname into the client structure.

   2. Problem (CQ 44374):
      802.1x EAP tasks did not restart after importing certificates.

      When configuration record 91 is changed, restart EAP negotiation.

   3. Problem (CQ 44441):
      CIM_BIOSPassword.IsSet still true after password is cleared.

      Zero length BIOS password was considered as a valid password. According
      to CIM_BIOSPassword.IsSet should be true for non-blank password and
      false otherwise.

      Accepted pending BIOS password that is zero length will now be
      considered as not set. Added code to remove the BIOS password attribute
      from the attribute value table and the BIOS meta record.

   4. Problem (CQ 44372, introduced in v1.24.0.4):
      Text redirection SSH session will be terminated by management firmware
      after several minutes.

      An SSH re-key would cause the SSH session to terminate due to a flaw
      in the re-key algorithm. The re-keying interval is determined by the SSH
      client (e.g. Putty default re-key interval is one hour).

      Fix problems associated with SSH re-keying algorithm.

   5. Problem:
      CIM_USBRedirectionSAP.RequestStateChange() failure would cause an
      invalid response to be generated.

      When enabling USB redirection SAP, also enable USB redirection Service,
      so ConcreteJob instance can be updated properly.

   6. PLDM for BIOS Control and Configuration:
      Added range check for BIOS attribute pending value number handles field.

   1. Additional error reporting/logging for advanced debugging capability
      (e.g. using B57diag 'apeinfo -l' or 'bmcc status -verbose'):

      - TLS/SSL/SSH/802.1X errors
      - SSL initialization failure
      - Uninitialized device key
   2. Graceful power control request method invocations will now fail
      (return 2) if the OS driver or agent is not present and capable of
      handling the request.

      - CIM_ComputerSystem.RequestStateChange(Shutdown, Reboot, or Quiesce)
      - CIM_OperatingSystem.RequestStateChnage(Disable, Reset, or Quiesce)
      - CIM_PowerManagementService.RequestPowerStateChange(OffSoftGraceful,
         MasterBusResetGraceful, PowerCycleOffSoftGraceful, SleepDeep, and

      Requires BrcmMgmtAgent v1.24.2 (or later) for graceful power control
      methods to function.
   3. Implemented CIM_AssociatedPowerManagementService
      AvailableRequestedPowerStates property, part of proposed DMTF Power
      State Management Profile v2.0.

      This property reflects the currently available requested power states
      based on the OS/driver/agent presence and capabilities.

      This array contains a subset of the CIM_PowerManagementCapabilities
      RequestedPowerStatesSupported array and should be used by consoles
      to determine the currently available requested power states before
      attempting to invoke a change request.

      Requires BrcmMgmtAgent v1.24.2 (or later) to represent graceful power
      control power state change request capabilities.

   4. Implemented CIM_SoftwareIdentity.OperationalStatus property for
      all instances.

      Possible OperationalStatus[0] values (single element array):
      - System Firmware: Unknown
      - Network Controller Driver: OK, Stopped, or No Contact
      - Network Controller Firmware: OK or No Contact
      - Management Controller Firmware: OK, Degraded, or Error
      - Management API: Unknown
      - Management Agent: OK, Stopped, No Contact, Lost Communication

      Requires BrcmMgmtAgent v1.24.2 (or later) to track operational status
      of the management agent.

   5. Set maximum outgoing TLS version to TLS1.0 instead of TLS1.2 to allow
      interoperability with MS IIS 7.0.

   6. Detection of incorrectly encrypted configuration record sets using a new
      "watermark" configuration record.

      If a configuration record set with encrypted records is exported to a
      file and then imported into a different network/management controller,
      the record set will fail verification and newer B57diag and BMCC
      versions will disallow the importation (rather than just silently
      reverting encrypted records back to their default or auto-generated
      states as would previously happen). The management firmware will also
      detect an invalid watermark and report/log an error.

Version - October 23, 2009

   1. 802.1X changes:
      a. Added config change event to restart EAP task when 802.1x or client
         certificate configuration records are changed in OS-absent state
         (e.g. local change via B57diag mancfg).
      b. Only send out EAP packet in OS-absent state.
      c. Restart DHCPv4 and DHCPv6 when EAP task is restarted.

   2. Added CIM_NumericSensor.HealthState mapping for OK and Critical Failure
      values based on the PLDM GetSensorReading response.

   3. If a PLDM sensor reading is the most positive or negative number
      possible (based on the sensorDataSize value), translate into +/-
      infinity as appropriate, then force values into the range INT32_MIN to
      INT32_MAX due to the fact that CIM_NumericSensor.CurrentReading is of
      type sint32.

   4. Added extrinsic method: CIM_BIOSService.RestoreBIOSDefaults().

Version - October 16, 2009

   1. Problem (CQ 44096):
      CIM_NumericSensor.OperationalStatus had a value of unknown.

      OperationalStatus was not updated correctly when the PLDM sensor
      reported itself as being on the enabled state.  The last non-enabled
      state or zero was returned instead.

      Set OperationalStatus to OK when PLDM operational status is enabled.

   2. Problem:
      If a configuration record had to be enlarged (e.g. to accommodate a
      newly added property), and the record could be enlarged without moving
      it (changing its offset in the configuration record set) due to adjacent
      null/deleted records, the record length in the record header would not
      be updated to the new larger size required for the new data.

      Most configurations due not normally include null records, so sightings
      of this problem would not be common.

   1. Part of CQ 43898 fix: when MAC address registers are uninitialized (0's)
      (e.g. due to RxCPU boot code failure or delay), read MAC address from
      NVRAM configuration.

   2. Added 802.1X EAP-TLS support, thus completing the set of authentication
      methods that will be supported for this feature.

   3. Optimized PLDM BIOS and SMBIOS command response time.

   4. New and updated classes for 802.1X configuration and certificate/key

      - BRCM_OOBManagement8021xSetting
      - BRCM_OOBManagementHTTPSClientSetting
      - BRCM_OOBManagementHTTPSSetting

      Note: New and updated .MOF files are included with the release.

Version - October 9, 2009

   1. Problem (CQ 43968):
      Unable to enumerate CIM_LogEntry or view Event/Audit logs from

      Enumeration optimization introduced in v1.24.0.4, applied incorrectly
      to CIM_LogEntry.

      Fix implementation of enumeration optimization for CIM_LogEntry

   2. Problem (CQ 43970):
      Using a configuration record set with no console redirection banner
      (or a zero-length banner) causes SSH to fail.

      Zero-length SSH banner violates SSH-AUTH protocol.

      When there is no banner (or a zero-length banner) in the configuration
      record set, do not attempt to send an SSH banner.

   3. Fix regression when connecting to a TLS server (for FW update, USB 
      redirection, or WS-Eventing) which required mutual authentication.
      Introduced in v1.24.0.4.

   1. RMCP and Secure RMCP (RSP) tasks are combined into a single task to
      conserve resources (e.g. stack memory).
   2. Added support for configurable 802.1X username (for use with EAP-TTLS

   3. Added configuration toggle flag for 802.1X EAP-MSCHAPv2 support
      (defaults to enabled).

   4. Added support for 802.1X authentication methods: EAP-TTLS and PEAP.

Version - October 2, 2009

   1. Problem (CQ 43900):
      When a PLDM Numeric Sensor CurrentReading value conversion required
      an inversion operation, state values were not translated accordingly.
      This problem was evident in CIM_NumericSensor.CurrentState property
      values as well as CIM_AlertIndication.MessageArguments[2] property
      values in WS-Events and CIM_LogEntry instances.

      Invert states as well as reading values in CIM representations of PLDM
      numeric sensors.

   2. Problem:
      SMBIOS Base Board serial number not modeled via CIM.

      Populate the system board CIM_Card serial number from the SMBIOS Base
      Board structure.

   1. Update security library to latest version.
      This includes the following changes:

      TLS Changes:
      a. Validate certificate time (use of TLS most likely now requires the
         current date/time to be set)
      b. Validate certificate common name (use of TLS most likely requires DNS
         to be functioning)
      c. Disable 3DES, AES256, AES512 algorithms for speed
      d. Disable RC4_MD5 TLS cipher as it is now considered insecure

      SSH changes:
      e. Disable 3DES
      f. Add support for configurable login banner

   2. Added configurable Telnet login banner (configuration record 0x03).
      Example: "bmcc import=banner.txt -record=3"
      B57diag: "mancfg -i=banner.txt -t=3"

   3. Log an error (and set firmware error flag, bit 15) when an invalid
      MAC address is detected by the firmware (low 32-bits are all 0).

Version - September 24, 2009

   1. Problem:
      Large PLDM response messages were corrupted.
      Fragmented PLDM messages were using the wrong length value for the
      middle fragment.

      Fix the message length value for the middle fragment.

   2. Problem:
      Slow response to PLDM BIOS AcceptBIOSAttribute command.

      Firmware was updating attribute value table in NVRAM for every accepted
      Update the attribute value table only after all the accepted attributes
      have been processed.

   1. Initial support for 802.1X Authentication. 802.1X Supplicant currently
      supports authentication methods:
      * EAP-MD5
      * EAP-MSCHAPv2

      More authentication methods will be added in near future releases.

      Note: Enable and configure with the B57diag 'mancfg' or BMCC 'edit'
            "802.1X Authentication" menu.
   2. Use better CommunicationStatus/EnabledState/OperationalStatus values for
      CIM_Sensor and CIM_NumericSensor instances.

Version - September 18, 2009

   1. Problem (CQ 43510):
      On platforms that require the "ASD Ready" SMBus message and that have
      polled legacy sensors (one or more alerts defined in the ASF_ALRT
      record of the system's ASF system description table), ASF SMBus power
      control commands could stop functioning after a specific race condition
      occurred (typically after 4 iterations).

      Contention over use of SMBus to both poll sensors and send the "ASD
      Ready" message upon vmain/vaux power state transition.

      Serialize the ASF SMBus accesses via semaphore to prevent collision.

   2. Problem:
      Fix octetstring string array parsing of CIM_Account.UserPassword
      property to match DSP0230 rather than DSP0004.

      Old (DSP0004) encoding still supported for backwards compatibility with
      existing consoles and tools.

   1. Redesign of Event/Audit log write-caching to use much less memory and
      eliminate the hard-coded limit of 1000 entries per log.

      Note: B57diag still has a hard-coded limit of 1000 entries per log.

   2. Implement support for sensor reading conversion fields defined in the
      Broadcom SMBIOS Extensions for Sensors specification v0.8. If the unit
      conversion fields are not present, default conversion rules are applied
      (and backwards compatible with previous firmware releases).

Version - September 1, 2009

   1. Problem (CQ 43424):
      Introduced in v1.23.0.4 (Opaque Management Data / Active Directory
      Unable to execute any WinRM commands with Negotiate authentication type
      (i.e. Active Directory).

      Active Directory account enhancements changed internal account value, 
      and AP-REP generation code was not updated to match.

      Fix check if AP-REP should be sent.

   2. Problem (CQ 43356):
      If an MCTP transmit retry was necessary (e.g. MCTP/SMBus was enabled on
      a platform that doesn't support it), it was possible for a task context
      switch to cause the task performing the MCTP request (e.g. a PLDM
      numeric sensor reading) to enter a very long timeout loop possibly
      causing the management firmware to stop responding to remote management
      requests for a period of time (many minutes).

      A task switch could cause a timer register poll to miss the target
      value and thus require a wrap around of the timer register value before
      the task would continue servicing the request and allow lower priority
      tasks to execute.

      Disable interrupts while polling the timer register between MCTP retry

      Problem only seen when MCTP was enabled on platform that doesn't support
      MCTP, but in theory any condition that could have caused an MCTP retry
      attempt could have triggered this issue.

   3. Problem (CQ 43355):
      Multiple concurrent PLDM sensor queries were not supported. e.g.
      Attempting a B57diag 'apectl -q<n>' command while a simultaneously
      enumerating CIM_NumericSensor instances remotely would cause some of the
      queries to fail.

      Rather than serializing the PLDM requests, requests attempted while a
      previous request was pending would immediately fail.

      Serialize PLDM sensor reading requests before attempting to initialize
      or reset the current PLDM request timeout timer.

Version - August 20, 2009
   1. Problem:
      Introduced in v1.21.0.0 (fix #3), when deleting an account that is
      the owner of one or more Opaque Management Data instances, an adjacent
      Opaque Management Data instance would be over-written.

      Off-by-one error when updating the OMD instance meta data in NVRAM
      (to clear the owner ordinal property value).

      Now performing all OMD instance reads and writes by ordinal (static)
      rather than by instance (dynamic) fixing this particular problem and
      other potential problems that could occur when upgrading from v1.22.x.x
      (or earlier) firmware whereby OMD instance configuration record storage
      requirements have increased (to accommodate Active Directory support)
      causing OMD instance records to potentially be re-ordered in NVRAM and
      other issues similar to this one to occur (transiently).

   2. Problem:
      Only 4 (out of 16) NVRAM extended directory entries could be discovered
      and utilized by the management firmware.

      Directory entry size calculation error.

      Use correct directory entry size calculation.

      Since only 2 extended directory entries are currently supported (one
      each for APE Event Log and APE Audit Log), this bug did not yet produce
      any symptoms. If/when in the future we introduce and use more (than 4)
      extended directory entry types, this bug would be a problem.

   3. Problem:
      When updating uninitialized configuration record header ordinal values
      (e.g. when upgrading from firmware v1.22.x.x or earlier), if Account or
      Role records are out of natural order (e.g. instance 0 was not ordinal
      1), then incorrect ordinal values would be assigned to one or more
      configuration header records. 

      Assumption that Account and Role records would be stored in their
      original/natural order and there would be no "holes" (e.g. no missing
      instances in the middle of the ordinal sequence) at the time of upgrade.

      Added special handling for Account and Role records to
      Propagate ordinal property value (now deprecated) to header ordinal.

      Since there has been an increase in the size of the Role record in the
      past (pre v1.00), there is a remote possibility that a configuration
      could exist with Role records out of natural order. More likely, but
      still remote, is the possibility that one could have deleted/removed an
      Account or Role instance from the middle of the sequence of Account or
      Role configuration records
      (e.g. using "bmcc delete -record=account -instance=0").

   1. Treat the SMBIOS structure type 28 "Minimum Value" field as a signed
      16-bit integer instead of unsigned 16-bit integer. This allows modeling
      more realistic ranges for temperature probes via the CIM_NumericSensor
      MinReadable property.

      Note: This is a minor violation of the SMBIOS 2.6.1 specification and
            prevents modeling a minimum value of 3272.7 degrees Celsius.

Version - August 13, 2009
   1. Problem (CQ 40293):
      After assigning Opaque Management Data ownership from Administrator to 
      Active Directory account, the read/write functions will fail.

      Bug with negative permission case.

      Ensure that the Active Directory account has the read/write privileges.

   2. Problem (CQ 42075):
      When logging on with Active Directory account associated with the
      Operator role, still unable to see Opaque Management Data instances that
      are under "Operator" or the Active Directory account with Operator
      Roles. All subsequent remote management requests fail until the
      management controller is reset.

      Infinite loop when checking permissions of Active Directory identities
      when the checked permission is not present.

      Eliminate the infinite loop possibility.

      Newly introduced in v1.23.0.4.

   3. Problem (CQ 42983):
      Unable to modify multiple BIOS properties simultaneously using BIOS
      Management Profile.

      The PLDM response packets were larger than the MTU supported for MCTP
      over SMBus.

      Reduced the PLDM response buffer to 64 bytes.

   4. Problem (CQ 43111):
      Deleting and recreating an Opaque Management Data instance owner
      account will have CIM_AssociatedPrivileges automatically associated with
      the newly created account.

      Opaque Management Data instance read/write permissions were not being
      removed for deleted accounts.

      When deleting an account, clear the read/write permissions for the
      associated account ordinal in all created Opaque Management Data

   1. (CQ 42934)
      Add ability to modify BRCM_NetworkTransmitFilterSet.SetDropCountEnabled
      property value.

   2. Optimized RMCP task stack utilization, decreasing stack usage from ~2K
      to ~1K bytes during server initialization.

Version - July 31, 2009
   1. Problem:
      Intermittent firmware crash caused by stack overflow in RMCP task upon
      APE reset, indicated by B57diag 'apeinfo -t' output that includes
      "fw: status=f0090300" and a "0" in the "min." column of the "RMCP" task.

      Insufficient stack size to accommodate all possible function call paths
      during RMCP server initialization. Specific requirements to trigger the
      crash have not been determined.

      Increased stack size for RMCP task from 2048 to 2560 bytes.

   2. Problem (CQ 42619):
      Network quarantine service filter set, element creation does not return
      correct EPR.
   3. Problem (CQ 42630):
      Cannot change BIOS attribute for attributes with names longer than 
      32 bytes using the CIM_BIOSService.SetBIOSAttribute() method.

      Increased the attribute name string length supported to 64 bytes.

   4. Problem (CQ 42704):
      Changing the BRCM_OOBManagementADSettig.Password is not being written

      Encoding of the contents of the OctetString string array as UTF-16 is
      not advertised anywhere and the use of an OctetString provides no
      advantages over the use of a string.

      Change type of property to a string rather than an OctetString which
      removes the ambiguity of character encoding.

      Requires DashMgmtCon using updated BRCM_OOBManagementADSetting.mof.

   5. Problem (CQ 42705):
      Unable to view Opaque Management Data instances when logged on as
      Operator role for Active Directory.

      Privilege check for OMD access did not account for Active Directory.

      Add checking of AD roles and privileges to OMD access check.

   6. Problem (CQ 42807):
      DDR3 memory is reported as Unknown in CIM_PhysicalMemory.MemoryType.

      DDR3 was added to the SMBIOS specification in March of 2009 and this
      change wasn't implemented in the firmware.

      Added mappings defined in March 2009 release of SMBIOS specification.
   7. Problem:
      CIM_BIOSServiceCapabilities.MethodsSupported was represented as a Uint32
      rather than a Uint32 array.

   8. Problem (CQ 40293):
      Unable to modify Opaque Management Data instances using Active Directory

   1. Added support for generating CIM_AlertIndications/WS-Events for PLDM
      Platform Event Messages received for numeric sensors
      (sensorEventClass == numericSensorState) using Platform Message Registry
      v1.1 message PLAT0507.

   2. Logged PLDM Platform Event Messages for numeric sensors are now
      represented via CIM_LogEntry instances (queried using the Record Log

   3. Released binary firmware files are now $(CHIP)tm$(MAJOR).$(MINOR)[E], 
      where 'E' denotes "experimental" firmware. For example:
      5761tm1.23E for experimental releases, and 5761tm1.23 for an official
      release of v1.23.x.x.

   4. Platform Registry Message -> Indication mapping update (for Registry
      v1.1) for PerceivedSeverity and AlertType values.

Version - July 10, 2009

   Linked with TruManage SDK (v1.23.0).
   This version should be used in combination with BMCC v1.23.0 and 
   BrcmMgmtAgent v1.23.0.

   1. Problem (CQ 40452):
      BMCC Log command will return successful when there is no log in NVRAM.

      No method available to pass low level success or failure result back
      to host application (e.g. in this case, BMCC).

      New BMCTRL Library and management firmware (v1.23.x.x) adds support
      for event results that can be checked for success or failure. The
      "log" and "clearlog" commands now check this result (when used with
      firmware v1.23.x.x or later) and display "success" or "failure".

   2. Problem (CQ 42357):
      Authenticating via Active Directory would not transition the management
      controller to "Provisioned Mode".

   3. Problem:
      Queried PLDM Numeric Sensor values not reported correctly (e.g. using
      Incorrect parsing of sensorDataSize value in GetSensorReading response

      Applied support for all sensorDataSize enumeration values defined in

   4. Problem:
      Incorrect Content-Type (application/xml+soap) was used when POSTing

   5. Problem:
      Network Quarantine Profile was being advertised as a DMTF profile at 
      v2.0.0 instead of a Broadcom profile at v1.0.0. 

   1. Advertise Simple Identity Management Profile v1.0.1 support (instead of
      v1.0.0) in CIM_RegisteredProfile instance.

   2. Allow PLDM Numeric Sensor reading via APE Event
      (e.g. using B57diag "apectl -q<sensorID>" command).
   3. Added support for receiving PLDM Platform Event Messages (over 
      MCTP/SMBus) and logging them to the NVRAM-based Event Log.

   4. Added support for using the configuration field (SMBus Interface->
      PLDM Sensor Aggregator SMBus Address) with PLDM Monitoring and Control
      commands. Configure with BMCC "edit" or B57diag "mancfg" commands.

   5. Removed and deprecated support for ASF Offline Mailboxes.

   6. Improved memory copy performance in network stack.

   7. Active Directory configuration CIM modeling via new classes:
      * BRCM_OOBManagementADSetting
      * BRCM_ADIdentity

   8. Add read/write privileges for the Broadcom OOB Management Profile to the
      provisioning privileges to allow full configuration of Active Directory
      using the ProvisionConsole account.

   9. Add firmware build flag to indicate experimental builds (builds that do
      not go through the normal release and quality assurance procedures)
      instead of relying on odd minor version numbers as an indicator.
      For example:
                v1.23.0.0E would be an experimental firmware build
                v1.23.0.0 would be an officially released firmware build.

   10. Optimize static data usage in firmware binary, reducing NVRAM storage
       requirements by several kilobytes.

   11. If CIM_Account.RequestStateChange() is invoked but no change to the
       EnabledState was made, no Audit Log entry is created and no Life-cycle
       indication/WS-Event is sent.

Version - June 12, 2009
   1. Problem (CQ 42008):
      Importing a smaller SMBIOS structure table into a configuration record
      set would result in a configuration that would trigger a warning
      message when the 'bmcc verify' command was used to verify the
      configuration record set.
      !Warning: Record type 11 @00070: unused byte 07DF is non-zero (4A)

      A portion of the pre-existing, larger, SMBIOS structure table was left
      in the configuration record (not zeroed-out).

      In the BMCFG library bmcfgPutSMBIOSStructsRecord function:
      Zero-out unused portion of SMBIOS structure table configuration record
      when writing an SMBIOS structure table to the configuration record set.

   2. Problem (CQ 41943):
      Newly introduced in firmware v1.22.0.0:
      On some systems, ASF/SMBus Push Alerts (e.g. fan failure, no memory)
      were not logged or sent as PET/SNMP Traps by the management controller.

      The zeroing out of receive buffer in smb_readSlaveData() affected the
      timing of the SMBus ARP transaction between the BIOS and MC causing the
      SMBus ARP to fail.  This causes the BIOS to fail to send ASF/SMBus Push
      Alert message.

      Moved the zeroing out of receive buffer in smb_readSlaveData() to only
      clear on write call backs. 

   3. Problem:
      If a role had the "Audit" privilege enabled for any profile other than
      Record Log, a CIM_MemberOfCollection instance would be instantiated with
      an invalid Member EPR value for each bit so set.

      This problem was only exposed when using an unusual/unexpected
      configuration at this time.

   4. Problem (CQ 41897):
      Newly introduced in firmware v1.22.0.0:
      All CIM_NumericSensor.CurrentReading properties contain zero values.

      PLDM for Platform Monitoring and Control implementation (specifically,
      GetSensorReading command sensorDataSize enum) was updated to
      match DSP0248 v1.0.0 and support for existing OEM-specific
      GetSensorReading command was not retained.

      Implement support for both DSP0248 standard (v1.0.0) and pre-standard
      GetSensorReading sensorDataSize enum values.

   5. Problem (CQ 41864):
      Number of available Network Quarantine Service Transmit Filter Sets and
      Elements are non-zero even when no supporting driver has been loaded
      (we're advertising the capability when there in fact is no transmit
      filtering capability).

      The theoretical maximum number of transmit filter sets and elements was
      always being advertised, regardless of the driver version installed or
      running (for initial testing and debugging purposes).

      Only allow setting of NQS transmit filter sets and elements (advertise
      a non-zero number of available transmit filter sets and elements) when
      a NQS transmit filter capable driver has been loaded.

   1. Added a special (currently unassociated) instance of CIM_Privilege
      (InstanceID=BRCM:14.10000000f) which is the cumulative privilege for the
      currently authenticated user.

      This allows any console that is aware of the existence of this special
      instance the ability to dynamically detect the detailed authorized
      privileges of the currently authenticated user identity.

Version - June 5, 2009
   1. Problem (CQ 40673):
      PET Messages received by the management controller via ASF/SMBus message
      would be logged and/or transmitted with garbage in "Event Data" bytes.

      PET Messages received via ASF/SMBus may contain up to 5 bytes of Event
      Data per the ASF specification. If fewer than 5 Event Data bytes were
      included in the ASF/SMBus message, the remaining bytes would be contain
      uninitialized (non-zero) values and all 5 Event Data bytes are always
      logged and/or transmitted.

      Zero-out SMBus receive buffer before receiving ASF/SMBus messages.

   2. Removed support for CIM_OperatingSystem requested state values 
      "Shutdown" (4) and "Reboot" (10) since Version 1.0.0 of the OS Status
      Profile does not mention them anymore as possible supported requested

   1. Transmitted PET messages now include initialed time-stamp (TimeTicks)
      and Local Timestamp and UTC Offset values (when available) as
      recommended by the ASF specification.

   2. Problem (CQ 40564):
      When switching ports (for the cable from the managed system) on some
      Ethernet switches, traffic destined for the management controller would
      cease to be forwarded to the managed system.

      Send gratuitous ARP after Ethernet link up to force switch to relearn
      MAC address in case of port change.

   3. Increased maximum property string lengths in CIM_BIOS* classes from 32
      to 64 characters.

   4. Network Quarantine Service
      This enhanced Broadcom TruManage feature is now supported via
      BRCM_NetworkQuarantineService and associated classes. Receive filtering
      is implemented in firmware and functional regardless of driver version
      (or presence). Future Windows/NDIS driver releases will include support
      for transmit filtering. When this firmware is used in conjunction with a
      supporting driver, the transmit filtering capabilities will be
      automatically modeled via CIM (i.e. no firmware update should be

      Explicit support in the TruManage DASH Management Console is also
      pending. Any CIM Browser (including that in DashMgmtCon) may be used to
      exercise this feature today.

Version - May 28, 2009
   1. Problem (CQ 41439):
      DASHCLI application (part of the AMD Simfire DASH SDK) was unable to
      start the Text Console Redirection service.

      The Text Console Redirection profile implementation did not follow the
      DMTF profile specification in regards to the EnabledState property value
      of the service and associated Service Access Points (SAPs).

      Merge control of the service and SAP into the SAP instance to make it
      easier for console to access all three profile defined states (active, 
      inactive, and available).

   2. Problem:
      Potential for long recovery times on unreliable TCP links where multiple
      consecutive segments may be dropped (e.g. due to temporary loss of
      Ethernet link).

      Recovery behavior of TCP stack based on logarithmic algorithm defined
      in RFC2581.

      Implemented RFC2582 ("New Reno") to allow fast recovery times on
      unreliable TCP links.

   3. Problem:
      When a user account is deleted (remotely, using the Simple Identity
      Management profile) any Opaque Management Data instances owned by that
      account are then orphaned and will be automatically owned by the next
      created user account, leading to potential information leak to an
      unauthorized user account.

      Existing OMD instances were not checked or modified when user accounts
      were deleted.

      Set owner of OMD instances to an invalid identity when the owning user
      account is remotely deleted. Only the Administrator may then manage
      the orphaned OMD instance.

   4. Problem:
      MCTP/SMBus implementation fails stress test.
      Issues include corrupted MCTP packets, SMBus interface Data line pulled
      low, and SMBus interface Tx Underrun event.

Version - May 7, 2009
   1. Problem:
      CIM_LogEntry.RecordFormat property value contained typo in 
      CIM_AlertIndication.OwningIdentity name ("Idenity").

   2. Problem:
      Some firmware progress event messages (from BIOS) were incorrectly
      mapped to platform message registry ID 186 ("firmware hang")
      instead of 188 ("firmware progress").

   3. Problem (CQ 40723):
      Secure RMCP keys would not be auto-generated to pseudo-random values
      if remotely cleared (set to zero-length values).

   4. Problem:
      CIM method would fail if TimeoutPeriod was correctly specified
      (i.e. has a child tag).

      Fix detection of invalid extrinsic CIM method parameter combinations.

   5. Problem:
      Extrinsic CIM methods that do not accept any parameters could not be
      executed via the Web/GUI interface (e.g. CIM_RecordLog.ClearLog()).

   1. Added support for returning the SMBIOS Description field for SMBIOS type
      27 (Cooling Device) in the CIM_NumericSensor.ElementName property value.

Version - April 17, 2009
   1. Problem (CQ 40638):
      When updating property stream records, if the existing property stream
      length was larger than the length required to store the properties
      supported, existing property values may be truncated and some properties
      not written or updated in in the record. This causes the newly updated
      bmcfgVerifyBuf() routine to report an error with the effected record.

      BMCFG library did not handle the updating of larger than required
      property stream records. This caused backward and forward compatibility
      issues (e.g. the minimum os_info record size shrank from TruManage 1.1
      to 1.2).

      Change (in BMCFG library):
      The data length of updated property stream records is dynamically
      calculated based on the requirements of existing and added or updated

   2. Problem:
      When updating encrypted records or shrinking existing record data,
      non-zero unused data bytes would be created.

      Change (in BMCFG library):
      When updating records, unused data bytes were not zeroed-out. If the
      new data length was smaller than the existing data length, then the
      stale (previously used) data byte values would remain.

      BMCC "verify" command will display warnings when non-zero unused data
      bytes are detected in records (as of v1.20.3).

Version - April 16, 2009
   1. Problem (CQ 40407):
      Firmware thinks driver and OS are not present when enabled via BMAPI
      (e.g. using BACS or BMCC) after system resumes from S3.

      When firmware initializes, it immediately receives a "PCIe reset"
      interrupt, so the firmware thinks the system has been ungracefully
      reset (thus the driver and OS cannot be present).

      When firmware initializes, reset the "PCIe reset" interrupt status
      so that PCIe resets that occurred prior to the firmware being
      loaded will not trigger the interrupt.

      This was the root cause of this defect. The change in the previous
      version was just a work-around for one symptom of this problem.

   2. Problem (CQ 40571):
      Unable to create a new account using web (HTML) interface.

      Regression of "create" intrinsic method support using web interface.

   3. Problem:
      Resuming from S3 on some systems causes PLDM sensor communications to

      Power-state change interrupt only occurs when transitioning to S3 on
      some systems. If this interrupt occurs, we clear a BIOS state flag that
      indicates the system is capable of PLDM communications and the flag will
      not be reset until the system goes through POST again.

      Clear the "PLDM ready" BIOS state flag only when we transition to Vaux
      and the current power state (as reported via ASF "Set System State"
      SMBus message) is not S3.

   4. Problem:
      Updating corrupted property stream records could cause corruption of
      adjacent configuration records.

      The BMCFG library did not sufficiently validate the length of
      properties to be updated in property stream records before updating
      their values, so updating the properties of corrupted (e.g. falsely
      decrypted) property stream could cause adjacent records to be

      The BMCFG library now validates the lengths of properties before
      updating their values in configuration records thus preventing
      corrupted property stream records from causing the corruption of
      adjacent records (headers and data) in the configuration record set.

Version - April 10, 2009
   1. Problem (CQ 40318):
      20 character text log entries (e.g. created using B57diag "apelog -l")
      would contain garbage (usually "HEAD") in CIM_LogEntry.RecordData
      property value.

      Assumption that all text entries are zero-terminated.

      Only use the first 20 non-zero characters of text log entries when
      forming the CIM_LogEntry.RecordData property values.

      Text log entries are currently used for debugging/testing purposes only.
      The B57diag "apelog -i" command had a similar problem with displaying
      text log entries that has also been fixed.

   2. Problem (CQ 40407):
      BSOD seen when enabling manageability via BACS (or presumably via BMCC).

      RSS enabled bit in MAC register is being turned off by firmware during
      initialization causing MAC to enter an erroneous state.

      Use read/modify/write when initializing MAC mode registers in OS/driver
      absent case of firmware initialization.

      Numerous problems arise if the driver is already loaded when
      manageability is enabled and the management firmware initialized (e.g.
      using BmapiSetMgmtEnableState). The complete solution is to have BMAPI
      reload the network controller driver whenever manageability is enabled
      or disabled.

   3. Problem (CQ 40483):
      Network controller doesn't get link after system entering S3 with
      manageability enabled and forced link speed at switch.

      Firmware did not advertise half duplex when supporting Lowest Speed
      Advertised setting, so when link partner is set to a forced speed, no 
      link could be established. 

      Advertise both half and full duplex when link speed is set to Lowest
      Speed Advertised.

   4. Problem (CQ 40500):
      Remote firmware update (using Software Update profile) will cause
      directory checksum error in NVRAM (e.g. using B57diag 'sechksum'

      Firmware bin image size was added to NVRAM directory entry, but
      directory checksum was not recalculated when performing remote firmware

      No longer store bin image size in NVRAM directory entry (not necessary).

   5. Problem:
      When the NIC is reset (e.g. when the system power button pressed for 4
      seconds to force an ungraceful system power-down), the current date/time
      tracked in the management controller would be incorrect (possibly
      jumping by as much as 13.5 years) causing different issues, including
      the failure of Active Directory authentication.

      The power-on-reset timer is reset (to 0) but shared memory contents are

      During firmware initialization, if the hardware tick value stored in
      shared memory is greater than the current power-on-reset timer value,
      don't use the value stored in shared memory to compute the current

   6. Problem:
      Some management configuration records that may be optionally encrypted
      (e.g. RSP, WS-Event Subscriptions), if modified via the management
      firmware, would be automatically reverted to unencrypted records.

      Accidental stripping of configuration record encryption attribute flag.

      User account, private key, and OMData instance records were not
      affected by this problem.

   7. Problem:
      BIOS Attribute Pending Value Table configuration record (type 0x18)
      was no longer encrypted by the management firmware.

      Accidental stripping of configuration record encryption attribute flag.

   8. Problem:
      With "wake on interesting packet" enabled in the network driver and DHCP
      enabled in the management firmware, an OS transition to S3/S4 could
      result in the system being immediately woken back up.

      When the driver unloads, link may be lost for 4 or more seconds causing
      the firmware to renegotiate the DHCP lease. The response received from
      the DHCP server is detected by the network controller as an "interesting
      packet", so the system is woken.

      Increase from 4 to 8 seconds the amount of time that link must be lost
      (in OS absent state) before the firmware's DHCP lease will be considered
      invalid and thus renegotiated when link is reestablished.

      Eventually the DHCP lease will be renegotiated by the firmware, thus
      waking the system unexpectedly. It's likely that when manageability and
      "wake on interesting packet" are both enabled simultaneously, the system
      is going to be woken from S3/S4 unexpectedly under many scenarios (DHCP
      or not). The best solution is to disable the wake on interesting packet
      driver setting whenever manageability is enabled.

   1. If Secure RMCP is enabled, but the data integrity key (Kg) or either
      of the authentication keys (Ko or Ka) have not be set, the keys will now
      be generated using pseudo-random values and stored in the RSP
      management configuration record when the RMCP server is started or
      recycled (e.g. due to configuration change event).

      This change prevents the unintended consequences of enabling Secure RMCP
      without setting any of the Secure RMCP (RSP) key values: allowing remote
      RMCP authentication (and potential remote control) using uninitialized
      (zeroed) key values.

   2. Current ASF watchdog timer value is now included in the reserved bytes
      of the RMCP system state response.

      Helpful in the remote debugging of ASF watchdog timer issues.

Version - March 31, 2009
   1. Problem (CQ 40128):
      After a time zone change (e.g. Daylight Saving Time going into effect),
      Record Log entries (CIM_LogEntry instances) may show incorrect
      CreationTimeStamp property value.

      Event and Audit log records were stored in NVRAM with the time of the
      event stored as the current local time (rather than UTC). Since the
      value of the system's time zone bias may change (e.g. when Daylight
      Saving Time goes into effect), the CreationTimeStamp value would
      represent the current wall-clock time at the time of the event, while
      the UTC offset included in the CIM DateTime value would represent
      the current time zone at the time of the query by the management

      When the current system time zone is known, store Event and Audit Log
      record time stamps with the current time in UTC. When sending the
      CIM_LogEntry.CreationTimeStamp value for such entries, use the UTC
      representation (use the local time zone representation otherwise).

      If the current system time zone is not known at the time of an event
      (e.g. there has been no "one good boot" where BrcmMgmtAgent has run),
      and the system's real-time clock (RTC) is programmed for local time,
      then log records will be stored with the local time as the time stamp.
      In the case where the time stamp of log records are stored as the local
      time, the CIM_LogEntry.CreationTimeStamp may still be incorrect when
      retrieved by the management console. 

      It is up to the management console to convert UTC CIM DateTime values
      to local time representation if that is desired. 

   2. Problem (CQ 40161):
      Unable to delete one-time boot option configuration using the Boot
      Control profile.

      Firmware was not allowing the ModifyInstance() on the 
      CIM_ElementSettingData.IsNext with the associated CIM_BootConfigSetting
      class from IsNextForSingleUse to IsNotNext.

      CIM_ElementSettingData.IsNext with associated SettingData of
      CIM_BootConfigSetting can now be modified from IsNextForSingleUse to
      IsNotNext. This will cause the pending attribute value to be deleted.
      This change only applies to the one-time boot configuration.

      Requires DashMgmtCon version 1.2.1 or later.  Refer to CQ 40085.

   3. Problem (CQ 40185):
      Unable to enumerate any instance after 5 minutes of operation using
      Active Directory authentication.

      After the Kerberos replay cache filled up, each failed authentication
      attempt would leak about 256 bytes of memory. Eventually, all available
      heap memory was used up, resulting in an inability to create new RC4
      contexts and preventing all Active Directory authentications.

      Create and use a function to clean up negotiation contexts correctly.

   4. Problem (CQ 40202):
      Unable to execute extrinsic methods when using Active Directory

      Some extrinsic methods were verifying privileges assuming that the
      authenticated identity was a local user account.

      Pass current privileges (of the authenticated Role) to the
      class-specific method invocation functions.

      Opaque Management Data is still not supported using Active Directory
      authenticated sessions.

   5. Problem (CQ 40010):
      Unable to authenticate using Active Directory and Internet Explorer 7.
      Unable to authenticate against Windows 2008 Active Directory Server.

      Windows 2008 and Vista have an AuthorizationData section in their
      Authenticator in addition to the MS-PAC.  Any AD-Type other than MS-PAC
      (128) would result in failed authentication.

      Ignore IF-RELEVANT blocks with AD-Types other than 128 rather than fault
      on them.

      When using IE7/WinRM/DashMgmtCon on a Vista or Win2k8 system, you must
      use a hostname of the target rather than the IP address.  When using XP,
      the IP address of the target will work.

Version - March 20, 2009
   1. Problem (CQ 40005):
      Unable to execute WinRM commands with Active Directory authentication.
      e.g. winrm id -r: -a:negotiate -u:user -p:pass
      will display an error message saying the client is not enabled for
      negotiation authentication.

      AP-REP response was generated incorrectly: the cipher field was
      incorrectly identified as the kvno field in the enc-part field of the
      AP-REP.  Also, winrm requires a zero-length response to its zero-length
      request during authentication.

      Fix AP-REP generation and return zero-length responses to zero-length
      requests when negotiate authentication is used.

      WinRM now works using "-a:negotiate" over HTTPS and WinRM now works 
      unencrypted (using "-a:negotiate -un") over HTTP. WinRM/Kerberos
      encryption over HTTP remains incompatible with the management firmware.

   2. Problem (CQ 40079):
      CIM_LogEntry.ElementName is not unique for new entries following a
      CIM_RecordLog.ClearLog method invocation or overwrite (WrapsWhenFull).

      When constructing the ElementName property value, the oldest currently
      stored entry in the log was always numbered 1.

      Log entry number in CIM_LogEntry.ElementName property now tracks 
      CIM_LogEntry.RecordID property, which is a unique identifier among
      all entries in the log, current log entries and cleared log entries.
   3. Problem:
      TLS and Active Directory/Negotiate times (in UTC/GMT) were incorrect.

      Current time zone bias was not applied correctly.

      Apply the current time zone bias correctly to calculate the current GMT.

   4. Related to CQ 39405:
      Check driver Vaux speed setting when transitioning to Vaux.

   5. Problem (CQ 40017):
      Host (e.g. NDIS) drivers with 4-part version numbers (e.g.
      were not represented fully in the associated CIM_SoftwareIdentity

      The existing communication mechanism between the driver and the
      management controller only supports a 3-part (24-bit) version number
      because at the time of definition, all drivers were released with
      3-part version numbers.

      Added host driver build number (upper 8 bits of driver_behavior field)
      to communication interface to support 4-part version number for host

      Only drivers that support the updated communication interface will have
      their 4-part version number correctly identified in CIM_SoftwareIdentity

   6. Problem (CQ 40045):
      When performing a remote firmware update using the CIM Software Update
      profile, the DashMgmtCon takes a long time (e.g. 5 minutes) to timeout.

      The management controller is immediately reset after the firmware is
      successfully updated. In previous versions there was an indeterminist
      delay, up to one second, before the management controller was reset.
      This delay allows the DashMgmtCon to see the CIM_ConcreteJob
      instance change state from running to complete.  With the elimination
      of this delay in FW v1.19.0.10, the DashMgmtCon failed to see the 
      associated CIM_ConcreteJob instance change state.  The DashMgmtCon
      will continue polling even after the reset is completed and
      CIM_ConcreteJob instance is no longer in existence.  The DashMgmtCon
      times out after 5 minutes or so and gives up.

      Added a 1.5 second delay after the firmware is successfully updated and
      before the management controller is reset. This provides a higher 
      probability that the console will see CIM_ConcreteJob instance change 
      to the completion state.  This does not solve the issue,
      it just reduces the symptom (DashMgmtCon may now see the CIM_ConcreteJob
      status change before the reset occurs, depending on its polling
      frequency, network latency, etc.).

   7. Problem:
      Corrupted or outdated PLDM for BIOS structures stored in NVRAM could
      cause the management firmware to crash.

      Insufficient PLDM for BIOS parameter value validation.

      Added additional PLDM parameter value validation to PLDM for BIOS

   1. Active Directory/Negotiate authentication:
      A. Validate client-supplied times, if received.
      B. Implement replay protection cache.
      C. Add SPNEGO-Kerberos SecurityIdentifers to WS-Man Identify response.
      D. Disallow negotiate authentication when date/time has not been set.

   2. When a server CA cert has been imported into the management controller
      configuration, advertise mutual HTTPS/TLS only in WS-Identify response.
      When it is not present, do not advertise mutual TLS.

Version - March 13, 2009
   1. CIM_AlertIndication.OwningEntity property value for Indications is now
      just "DMTF" (based on pending DMTF message registry changes).

   2. Problem (CQ 38042):
      Error when deleting all privileges from a role using DashMgmtCon.

   3. Problem (CQ 39858):
      CIM_LogManagesRecord association for Audit Log shows CIM_RecordLog 
      as "Event Log".

   4. Problem (CQ 39923):
      Executing winrm USB redirection commands will cause an erroneous
      Audit Log entry: "Bad account #0 failed authorization..."

   5. Problem:
      One profile erroneously had CIM_ElementConformsToProfile associations
      with all instances of CIM_RegisteredProfile as well as the central

   6. Change the CIM_PhysicalMemory.Speed property value (from 0xffffffff
      to 0) when the current speed is "unknown" as per current proposal
      in DMTF PPP-WG.

   7. Problem (CQ 39924):
      Audit log entries generated from ProvisionConsole user will show as
      "Bad Account".

   8. Pending Event and Audit log entries are flushed to NVRAM before a
      graceful management controller reset or shutdown event.

   9. NULL bytes were included in HTTP Authentication-Info header after digest
      nonce times out.

   1. Eliminate the (up to) one second delay before processing deferred APE
      events (e.g. configuration change, set date/time, ping, driver state
      change, add log entry).
      This change also allows more than 7 host-generated log entries
      (e.g. using B57diag "loop X apelog -ltext") to be sent in rapid

   2. Event "Log Full" indications now follow the architecture specification:
      sent for the first message that fills the log only, unless log is
      configured to never-overwrite, in which case one is sent for every
      non-logged event.
   3. Event "Log Almost Full" indications are only sent when the log is
      flushed to NVRAM (by default, at most every 5 seconds) and the log is
      between 90% and 99% full. You'll no longer receive an indication for
      every successive log message (unless they are sporadic in frequency).

   4. Related to CQ 39405:
      Use driver VAUX/WoL speed setting if available.

   5. Added support for SPNEGO-based Kerberos Authentication (RFC4559) for
      Microsoft Active Directory-based authentication and authorization.

Version - March 6, 2009
   1. Problem (CQ 39848):
      Audit Log entry RecordData property contains (as an example):
      "Unknown (unknown) created account user: 0 ()".

      Audit Log event data was being treated as an ASCIIZ string instead
      of a binary structure (and thus truncated at the first 0x00 byte)
      at the time the event was logged.

      Fixed the log even type checking in the event_log library.
   2. Problem (CQ 39847):
      When taking an account offline, no audit log entry will be generated.

      No audit log message had been defined for this specific account
      management operation.

      Added an audit log message definition (and code to generate such) for
      this operation.

   3. Problem:
      CIM_LogEntry.CreationTimeStamp property was missing/NULL instead of
      unknown ("**************.******") when the current date/time was not
      known at the time the event was logged. The DMTF Record Log profile
      mandates that this property exist.

   4. Problem:
      Wrong CIM mapping XML namespace:
      instead of:

   5. Problem:
      WS-Identify response not conformant with pending XSD.

      Move TruManage tags to before SecurityProfiles as per wsmanidentify
      XSD currently under ballot.

   6. Problem:
      No associations existed for unassigned CIM_Privilege instances.

      Associate privileges to CIM_RoleBasedAuthourizationService.

   7. Problem:
      Authorization failures caused an incorrect InvalidValues fault to be
      returned in a put response.
      Incorrect fault specified for Authorization failure returns from _set()

      Authorization failures now return an AccessDenied fault.

Version - March 4, 2009
   1. Problem (CQ 39702):
      Event log Indication is not sent when Event Log is cleared or 90% full.

      When using the B57diag 'apelog' commands to manipulate the Event Log
      (e.g. add events, clear the log), the firmware did not generate CIM
      Indications. This behavior was intentional but has been changed in this
      release (see Change B below).

      When executing the CIM_RecordLog.ClearLog() method remotely, the
      appropriate "Log Cleared" indication was sent successfully (could not
      reproduce this aspect of the reported problem).

      When the Event Log was 90% full and a new event was logged by the
      firmware a "Log Almost Full" indication was not sent because the
      corresponding Platform Message Registry entry (204) was missing from the
      firmware's event-to-message mapping table.

      A. Added the "Log Almost Full" message to the event-to-message mapping

      B. Log manipulations from the host (e.g. using B57diag 'apelog'
      commands) will now generate the relevant indications (e.g. Log Almost
      Full, Log Full, and Log Cleared) when appropriate.

      Event Log only (Audit Log changes never result in indications being

   2. Problem (CQ 39720):
      Firmware heartbeat ticks get stuck and stops incrementing when remote
      booting with "Boot Progress Events" and "Event Log" enabled on an PXE
      enabled NIC.

      Deadlock occurs while Event Log flush.

      Don't flush the Event Log to NVRAM while an option ROM write delay is
   3. Problem (CQ 39770):
      Remotely adding/editing accounts or roles does not generate an Audit
      Log record.

      The Audit Log implementation was not complete at the time of the last

      Audit Log records are now created for remote account modification, role
      modification, and authorization failures.

   1. (CQ 39405)
      Added "Lowest Speed Advertised" option for VAUX Link Speed.

Version - February 13, 2009
   1. Fix the use of the CreateInstance intrinsic for
      CIM_OpaqueManagementData.  Previously, nobody could invoke it. 

   2. Include WS-Transfer XML namespace in SOAP faults in case of 

   3. Return InvalidValues fault when a value is invalid.

   4. Error out the CIM_ConcreteJob if the URI is unparsable.  Previously,
      the ConcreteJob would never complete or error on an invlaid URI.

   5. Add support for the InvalidNamespace fault detail required by

   6. Parse ALL xml namespace declarations before parsing the tag name.

   7. Fix enumeration of CIM_Container. The Physical Asset Profile has been
      broken since 06/24/08

   8. Ensure there is more than one association with each non-association

   9. CQ 38818

   10. Set failure set on CIM_ConcreteJob when host fails to resolve.

   11. When the current time is unknown, return "**************.*****" as
       the CIM_DATETIME value.

   12. CQ 38599

   13. Sort property names by ASCII value as per XSDs.

   1. Option to disable support for anonymous WS-Identify requests on the
      /wsman URI (to avoid warning in DMTF DASH CTS).

      Enabling this option prevents some DASH management consoles from being
      able to discover the MAP.

   2. Added support for "receive all IP fragments" advanced option
      (default: disabled).

   3. Added support for new DHCPv6 configuration settings (e.g. DUID, Vendor
      enterprise number and class).

   4. Added Audit Log support (using DMTF Record Log CIM profile).
      Uses Broadcom-defined plan-text log record data.
      Requires Audit permissions (e.g. Auditor Role).

   5. Added Event Log support (using DMTF Reocrd Log CIM profile).
      Uses DMTF-defined Platform Message Registry log record data
      (in CIM_AlertIndication format).

Version - November 21, 2008
   1. Problem (CQ 38323):
      Disk I/O errors while booting from USB-redirected Win2kPro ISO image. 

      When performing stress tests, ASF, and WS-Man requests cause management
      controller to be very busy. USB redirection task was not able to update
      MSD state after sending USB MSD CSW before task is swapped out, which
      causes next USB request to not process correctly.
      Increase USB task priority. Update MSD state before enable interrupt.
   2. Problem (CQ 38376):
      Unable to access USB-redirected ISO image when rebooting.

      When USB MSD read is active while rebooting, MSD IN endpoint FIFO has
      left over data. The first INQUIRY command after booting will receive
      garbage data.

      Flush MSD IN endpoint FIFO, after system reset.

      Correct INQUIRY response allow BIOS to select USB as one of bootable

   3. Problem (CQ 38517):
      Firmware hang when setting PET destination target to hostname and
      either the DNS server only returns IPv6 address when firmware preference
      is set to IPv4, or DNS server only returns IPv4 address when firmware
      preference is set to IPv6.

      When none of DNS response records are preferred, firmware dereferences
      an invalid pointer.

      Rewrite end of DNS record detection logic.

   4. Problem (CQ 38673):
      Missing DHCP discovery packet if management controller is powered-on 
      while Ethernet link is still being negotiated.

      DHCP discovery is not sent out, if link is not yet up.

      DHCP discovery retry include link down condition.

   5. Problem:
      A PullResponse ending the operation would include both the EndOfSequence
      and an EnumerationContext
      Enumeration MaxElements was not removing the enumeration context when
      the end of the enumeration was reached.

      Do not include enumeration context with end of sequence for

      Problem introduced in v1.11.0.0 (Enhancement #1).

   6. Problem:
      CIM_Fan.OperationalStatus would never show the fan as OK (even when it

      SMBIOS cooling device status was incorrectly mapped to CIM.
      When the cooling device status was OK, it would be represented in CIM
      as 3 (Degraded).

      Changed cooling device status to 2 (OK) when represented as OK in

   7. Problem:
      USB Redirection failures after numerous HTTP sessions.

      Instead of using a random TCP port number, use the next port in the
      Dynamic and/or Private Ports range.

      Only occurred when HTTP server limits number of requests per session.

   8. Problem (CQ 38515):
      The first 3 fields of the GUID/UUID value included in transmitted PET
      packets and CIM payloads was in little endian byte order instead of
      network byte order.

      Requires B57diag v11.76.07 or later to support Zero-touch Provisioning.

   9. Problem:
      OpenTestMan would hang during power change testing.

      Potentially, the maximum TCP retry interval would pass while link was
      down during a power reset.  This would cause the firmware to list the
      connection as closed.  Since OpenTestMan has no HTTP timeout,
      OTM would continue to wait forever for the response.

      Wait for link to be established before sending any data.

      TCP connections on a computer connected to the firmware
      which have no timeout and don't use a keep-alive mechanism
      would appear to hang.

  10. Problem:
      When static IPv6 address is NULL, all zero IPv6 address is attached to
      network interface.

      If static IPv6 address is NULL, do not attach NULL address to interface.

   1. (CQ 38178)
      Do not allow URI for USB Redirection to be set unless USBRedirectionSAP
      is disabled.

   2. Include additional identifying information types for CIM_ComputerSystem
      from DSP1052, CIM:MAC, CIM:Tag, and CIM:Model:SerialNumber.

   3. Added Unicode support for PLDM BIOS String table.

   4. Added UTF-16 support for CIM_BIOSString CIM_BIOSPassword.

   5. Include dummy timeout values for CIM_USBDevice and CIM_USBRedirectionSAP
      property values: CommandTimeout, ResetTimeout, and SessionTimeout.

   6. Model the Administrator role as a "static" role:
      Set a value of 2 (Static) in CIM_Role.RoleCharacteristics property to
      roles with the admin flag set.  Fail ModifyRole() on admin roles.

   7. Support the SuperUser privilege flag for the Role Based Authorization
      and Simple Identity Management profiles.

      For RBA, require the SuperUser privilege for the following:
      - Invoke CIM_RoleBasedAuthorizationService.ModifyRole()
      - Invoke CIM_RoleBasedAuthorizationService.AssignRoles()
      For CIM_RoleBasedAuthorizationService and CIM_Role, SuperUser implies
      read, write and execute privileges.

      For SIM, require the SuperUser privilege for the following:
      - Modify any property except password for your own CIM_Account
      - Modify any property of another CIM_Account
      - Create/Delete/Disable accounts

      The "ProvisionConsole" pseudo user has the SuperUser privilege for RBA
      and SIM profiles.

Version - October 30, 2008
   1. Problem:
      A reboot loop could result from a change boot order performed on the 
      one-time boot configuration with un-bootable boot source specified.

      Fix for CQ 37995 introduced in v1.11.0.1.

      The failed boot will reset the management controller while an
      NVRAM-write is pending.

      Revert Fix #2 (CQ 37995).

Version - October 29, 2008
   1. Problem:
      AssociatedInstance queries were only returning the odd numbered
      instances in the sequence.

      Enumeration optimization feature did not correctly set the last
      traversed association instance to the last successful one.

      Correct tracking of last traversed association.

      Problem introduced in v1.11.0.0 (Enhancement #1).

   2. Problem (CQ 37995):
      BIOS Error/hang if NVRAM write occurs during option ROM

      When management firmware performs NVRAM write, it takes 10 milliseconds
      to erase block for certain Flash part.  If during this period of time
      system is accessing PXE option ROM space, timeout will occur which
      result in incorrect data. 

      Avoid NVRAM writes during system boot when PXE option ROM is enabled.
      DASH firmware will check PXE enable config flag when PCIE reset occurs.
      If PXE option ROM loading is supported, stop any new NVRAM write until
      one minute timeout or receipt of OPTION_ROM_STARTED APE event.

   3. Problem (CQ 38186):
      DHCP6 enabled but DHCP6 solicit packet is never transmitted.

      Retry up to 3 times with 1 second delay, to allow link local address
      duplicate address detection to complete, so DHCP6 solicit packet can be

      Problem introduced in v1.11.0.0 (Problem #5).

   1. CQ 38178
      Do not allow URI for USB Redirection to be set unless USBRedirectionSAP
      is disabled.

      Previously, the URI could be remotely changed at any time. This could
      cause issues such as when booting to a WinPE ISO image (e.g. changing
      the URI while booting caused BSOD).

   2. TAHI IPv6 conformance test:
      Retry sending of IPv6 RS packet until max retry limit reached.

Version - October 24, 2008

   1. Problem:
      Limited number of sequential SSH connections supported.

      Memory leak in security library.

      Update to latest version of security library with fix.

   2. Problem (CQ 38113):
      Firmware stops functioning after transitioning from OS-present to
      OS-absent with DHCPv6 enabled and no network link.

      Null pointer dereference in DHCPv6 lease change code caused 
      firmware exception (APE "firmware status" value of 0xf0090300).

      Problem would not occur if BrcmMgmtAgent was installed and running
      since this would automatically disable DHCPv6 under this condition.

   3. Problem:
      SOAP request failure:
      When a tag in the default XML namespace defines a new XML namespace
      prefix, but does not redefine the default XML namespace, the XML tag
      error tracking would loose sync with the XML causing all following 
      tags to be considered invalid until a tag stack error occurred 
      (usually at the end of the XML tag which triggered the issue).

   4. Problem:
      For CIM_BootConfigSetting.ChangeBootOrder(), the PLDM mode should be
      OrderedAndLimitedFailThrough instead of OrderedFailThrough.

      Requires BIOS to support PLDM OrderedAndLimitedFailthrough mode.
   5. Problem:
      TAHI IPv6 Duplicate Address Detection (DAD) testing failure.

      Takes a little bit of time to link up, and DAD packet was sent too

      Retry sending of IPv6 DAD NS packet until successful.

   1. Optimized WS-Management enumeration support:
      Send multiple items per response when supported by the management

      Significant reduction in total number of packets and time required for
      complete enumeration in most cases.

   2. TAHI IPv6 conformance test:
      Added support for APE events to transmit PMTU and ICMP packets required
      by TAHI IPv6 "host" test suite.
   3. TAHI IPv6 conformance test:
      Added support for "Receive ALL Packets when OS-absent" Advanced setting
      for IPv6 Ready phase-2 "host" logo certification testing.

      Requires updated B57diag or BMCC to enable this option (defaults to 

Version - October 17, 2008
   1. Problem (CQ 38000):
      Missing SMBIOS-dependant CIM profiles after performing reboot & reset
      methods from Base Desktop & Mobile profile.

      If the SMBIOS structure table has changed, the SMBIOS meta-data is 
      transferred (via PLDM) after the SMBIOS structure table. If the SMBIOS
      structure table record and the meta-data record are out of sync, the
      SMBIOS structure table is not used. After a PLDM SMBIOS transfer, the
      tables are being reparsed, but not after a meta-data update.
      As a result, a changed SMBIOS structure table would not be used until
      after the next configuration change despite the SMBIOS and meta table
      in the configuration and NVRAM being in sync.

      Parse the system tables after an SMBIOS meta-data update via PLDM.

      Problem only occurred on systems that use PLDM for SMBIOS data transfer.

   2. Problem (CQ 37908):
      When management controller is configured to use DHCP no DHCP server is
      online, the next IP/IPv6 configuration change will not take immediate

      DHCPv4 only.

   3. Problem (CQ 37892):
      Cannot boot to WinPE2 image successive times via USB Redirection using
      HTTP-Digest authentication.

      Digest authentication credential cache issue.

      Instead of basing the decision to re-send the request on the previous
      success of authentication, base it simply on the existence of

      Authenticated USB Redirection over HTTP or HTTPS sessions only.

   4. Problem (CQ 37870):
      Cannot boot to WinPE2 image successive times via USB Redirection.

      When Vista PE finishes booting and Vista USB driver is initializing,
      USB bus is still busy with read command.  USB driver issues a reset on
      USB bus (equivalent to pull USB cable).  USB redirection task is stuck
      at processing read data.

      When a new USB MSD command is received, drain out old read data if USB
      task is still processing previous read command.

Version - October 8, 2008
   1. Problem (CQ 37443):
      Firmware crashes while copying a DVD image (4.3GB) onto the local HD
      via USB Media Redirection.

      Not root-caused, but suspect concurrent access to shared HTTP client
      resources caused corruption.

      Remove concurrent access to HTTP client resources for USB redirection.

      USB Media Redirection feature.

   2. Problem (CQ 37791):
      Firmware USB redirection task hangs when accessing ISO image over

      When using web server over internet for USB redirection, sometimes a
      read request takes a long time to complete or read timeout due to not
      receiving response.  USB host will issue device reset or MSD reset to 
      abort the command. Under certain timing, USB task will be blocked 
      forever waiting for USB ready to send next batch of read data, however
      USB state machine already aborted read command.

      When USB host issues device reset or MSD reset, wake up blocking USB
      task and abort current command.
      Reduce HTTP read timeout from 30 seconds to 4 seconds for faster read
      failure response.

      USB Media Redirection feature.

   3. Problem (CQ 37834):
      Extra DCHPv4 request is observed after DHCP renewal (after driver

      Routine that handles transition from OS present to OS absent setup a
      redundant timer.

      Eliminate redundant timer.

      DHCPv4 lease renewals after transitioning from OS present to OS absent.

Version - October 2, 2008
   1. Problem (CQ 36207 revisited, again):

      Default DTR timeout increased from 2500ms to 5000ms.
      DTR timeout value is now configurable (in milliseconds).
      Monitor DTR option is now disabled by default.

      Fix only applies to configurations with the "Monitor DTR" console
      redirection option is enabled.

      Power-resets can take as long as 20 seconds, so the "Monitor DTR" option
      is recommended to be disabled.

   2. Problem (CQ 37529 and 37558):
      Attempting to boot to a USB Redirection ISO image over HTTPS is
      extremely slow or results in the system hanging.

      System intermittently bypasses boot to USB Redirected image (over HTTPS)
      and proceeds to next bootable device.

      When a socket connection closes, read routine would block for 30 seconds.
      After open and close connection for about 30 times, new connection can't
      be opened due to receive filter leak.

   3. Problem (CQ 37628):
      Unable to manage User Accounts and Roles using "ProvisionConsole" login.
      ProvisionConsole privileges incorrectly specified to exclude execution

   4. Problem (CQ 37649):
      BSOD while booting to a WinPE image over USB Redirection.

      When switching from Windows progress bar to window, there is a few
      seconds of no activity. Web Server will send a TCP FIN to close down its
      end of connection.  On next read, we are using half closed socket, so 
      read fails. Normally read failure is not an issue, as OS will retry, but
      during WinPE booting, there is no retry, so blue screen.

   5. Problem (CQ 37677):
      Attempting to invoke an unimplemented method with at least one parameter
      specified will crash firmware.

      NULL dereference after failed parameter initialization.

   6. Problem (CQ 37663):
      Some Registered Profiles do not enumerate when APE FwUpdate is not

      Missing break statements in cim_registeredprofile_get case statements, 
      so registered profile instance dependency checks fell-through to include
      dependency checks for *other* registered profiles. This problem was
      actually introduced back in June with the OS Status profile being
      dependant on the Indications profile.

   7. Problem (CQ 37681):
      After multiple Telnet console redirection sessions are terminated due to
      dropped DTR, no more Telnet sessions possible.

      Zero-copy buffer leak when Telnet sessions are terminated due to dropped

   8. Problem (CQ 37709):
      WS-Event Heartbeats are sent to management console when not enabled.

      Heartbeat timer was being reset on every indication, even if heartbeats
      were disabled.  Because the heartbeat timer when heartbeats are disabled
      is initialized to zero, there would be a zero time delay in between

      Only restart the heartbeat timer if heartbeats were requested during the
      subscription and the heartbeat timeout is greater than zero.

   1. Updated Opaque Management Data implementation to match current profile
      v1.0.0c draft proposal which requires compliance with the Enabled
      Logical Element Profile.  Thus the following properties are changed or
      added to have the specified value in the CIM_OpaqueManagementDataService
      and CIM_OpaqueManagementData classes:

        1. EnabledState = 2(Enabled)
        2. RequestedState = 5(No Change)
        3. HealthState = 0(Unknown)
        4. PrimaryStatus = 0(Unknown)
        5. AvailableRequestedStates = NULL

   2. Added ElementName property to the following CIM classes:
      CIM_RemoteServiceAccessPoint and CIM_USBDevice.

Version - September 25, 2008
   1. Problem (CQ 36207 revisited):
      Console redirection session terminates during system power-on or reset
      if management firmware "Monitor DTR" option is enabled.

      A PCI reset causes all UART registers to be reset to 0. The firmware is
      (optionally) monitoring the UART MCR register for the DTR bit and if the
      bit goes low (drops) for 100ms, the firmware terminates the console
      redirection (Telnet or SSH) session.

      Apparently DTR may be low for much longer than 100ms during a PCI reset.

      Require DTR to be low for 250 ticks (2500ms) before disconnecting.

      Fix only applies to configurations with the "Monitor DTR" console
      redirection option is enabled.
   2. Problem:
      When there is no "APE Config" directory entry in the
      network/management controller's NVRAM, the management firmware will
      crash during initialization.

      An uninitialized pointer to the SMBIOS structure table.

      Crash would also likely occur if the "APE Config" directory existed,
      but there was no SMBIOS structure table configuration record within.

   3. Problem:
      Enumeration of CIM class could return instances with NULL key property

      Key values were not validated during enumeration.

      Do not return instances with NULL key values because they are invalid
      instances and should not be included in the enumeration results.

   4. Problem:
      CIM_SoftwareInstallationService class was instantiated and advertised
      via CIM_RegisteredProfile even when out-of-band management firmware
      updates were not supported (there was no "APE FwUpdate" NVRAM
      directory entry).

      Instantiate CIM_SoftwareInstallationService class only when the NVRAM
      supports out-of-band management firmware update.

   5. Problem:
      No "content-type" header was included in HTTP error responses (e.g. 401,
      404, etc.).

      Include "content-type: text/html" in HTTP error responses.

   1. Updated Opaque Management Data implementation to match current profile
      v1.0.0 draft proposal.

   2. USB Redirection performance improvement: Ramp up and back off HTTP
      request sizes as needed to keep receive buffer full without dropping

      Reduce request retransmits when linked at 1Gbps.

   3. Added support for PowerState parameter value of 15 (Power Cycle Off-Soft
      Graceful) to CIM_PowerManagementService.RequestPowerStateChange method.

      Treated identically to 14 (Master Bus Reset Graceful).

Version - September 23, 2008
   1. Clear the pending value table whenever we get a new BIOS Attribute
      table (via PLDM for BIOS).

   2. CIM BIOS class instances only exist if the associated BIOSAttributes
      are in the attribute value table (via PLDM for BIOS).

Version - September 22, 2008
   1. Problem (CQ 37463):
      B57diag sechksum failure after remote firmware update.

      Probable fix:
      Update the NVRAM directory checksum if any bytes were received from
      the server, not just if all bytes were received.

   2. Fixed spelling of CIM_OperatingSystemCapabilities.HostShutdownBehavior.

   3. Added the following required properties for the 
      CIM_SoftwareIncallationServiceCapabilities class:
      - SupportedExtendedResourceTypes
      - SupportedSynchronousActions
      - SupportedTargetTypes 

   1. USB Media Redirection performance improvements.

   2. Incoming HTTP Request processing performance improvements.

   3. SIM and RBA profile request processing performance improvements.

   4. Mutual TLS support:
      Verify HTTPS client certificate if/when the "TLS Server CA Certificate"
      configuration record contains data.

   5. USB Media Redirection verifies URI connection when SAP is enabled.

   6. Zero-Touch Provisioning feature must be enabled in NVRAM (e.g. via
      B57diag->mancfg->Advanced menu). When this feature is disabled, no
      OTP memory accesses are performed and the device is in a perpetual
      "provisioned mode".

      Feature is disabled by default.

Version - September 18, 2008
   1. Problem (CQ 37414):
      Firmware hang upon attempting USB Redirection over HTTP session.

   2. Problem:
      Not using xsi:type for EmbeddedInstance representations as required by
      DSP0230 section

   3. Problem:
      Missing CIM_SoftwareInstallationServiceCapabilities.ElementName

   4. Set a zero length string for the BIOS password in the value table after
      the BIOS has accepted the pending value.

   1. Set required MAC mode register values when initializing the MAC mode 
      register and performing auto-register repair (when enabled).

Version - September 16, 2008
   1. Problem (CQ 37380):
      Encrypted property-stream configuration records (e.g. user accounts)
      could not be modified. Symptoms include corrupted property values,
      property values reverting to default values, and corrupted adjacent
      records whenever such records are modified (locally or remotely).

      BMCFG library fix (in revision 79) for potential forward compatibility
      problems (older applications modifying property-streams created by newer
      applications) introduced problems with updating existing encrypted
      property-stream records. The record corruption was a side-effect of this
      bug due to improper bounds-checking in a property value update routine.

      BMCFG library fix (in revision 81).
      Requires updates to management firmware, BMCC, B57Diag, and 

   2. Problem:
      Transitioning to "Provisioned Mode" did not work 90% of the time.

      A small delay was required as part of the OTP memory write routine or
      the write could have no effect.

      Insert 2us delay between successive writes to the otp_control register.

      Zero-touch provisioning transition to "Provisioned Mode" (immediately
      after authenticating with a configured user account) appears to now work
      100% of the time.

   3. Problem (CQ 37388):
      Potential firmware hang during HTTP authentication.
      Appears to occur upon first authentication after a power-on-reset of the

      Infinite loop while initializing OTP memory access registers.

      Insert 2us delay between successive writes to the otp_control register.
      Added maximum retry counter while polling otp_status register.

   1. Outgoing HTTP connection (e.g. event delivery, USB redirection, firmware
      update) improvements:

      a. Added support for HTTP Digest authentication.

      b. Added support for HTTPS/TLS connections.

      c. If the Client CA Certificate (type 0x53) NVRAM configuration record
         exists and contains data, then the data must be a certificate of a 
         Certificate Authority (CA) in the chain of trust of the certificate
         presented by the TLS server to which the management controller has
         connected. Otherwise, the outgoing TLS connection will not be

   2. NVRAM configuration records for BIOS Metadata (type 0x14) and BIOS
      Attribute Pending Value Table (0x18) are now automatically encrypted by 
      the management firmware since these records may contain the BIOS

   3. NVRAM configuration record for self-generated Private Key (type 0x50)
      is automatically encrypted by the management firmware.

Version - September 12, 2008
   1. Problem (CQ 37253):
      Remote firmware update allows invalid file to be accepted.

      No image header or trailer (CRC or RSA signature) validation was being

      Validate image header and trailer.

      Only valid BCM5761 management firmware images may be remotely

   2. Problem:
      CIM_RunningOS instance could be returned with a "get" request
      even when the host OS was not running.

      "Get" handler for this class wasn't conditional.

      Only return this instance when OS is running.

   3. CIM_BootService instance should be conditional on the existing of

   4. CIM_HostedService privilege issue.

   1. Added "WS-Identify Only" option for HTTP connections.
      Modeled with WSIdentifyOnly property of BRCM_OOBManagementHTTPSetting

   2. Added support for TruManage Zero-touch Provisioning:
      a. WS-Identify response contains MAC address and GUID (always).
      b. Realm value contains MAC address and GUID when in unprovisioned mode.
      c. Ability to authenticate (over HTTP/HTTPS) as "ProvisionConsole" and
         perform user account management while in unprovisioned mode.
      d. Authenticating as a valid user account automatically transitions
         the device to provisioned mode.
   3. Numerous updates to Opaque Management Data implementation to match
      current preliminary profile definition in DMTF.

Version - September 05, 2008
   1. Problem:
      When using a self-generated TLS/SSH server key/certificate pair, a new
      certificate/key pair is created after each management controller
      reset. This generation can take several seconds, during which time 
      HTTP-based management traffic is not supported.

      Automatically generated TLS/SSH server keys were not stored in NVRAM
      correctly. When the management firmware initializes, it detects the
      invalid key and re-generates it. The re-generated key is used correctly,
      but stored in NVRAM incorrectly, so it will be re-generated for each

      Store the self-generated TLS/SSH server private key correctly.

      This defect was introduced in management firmware v1.01.
      When using an imported key/certificate pair, the firmware does not have
      this problem.

   2. Problem:
      Newly defined namespace prefixes for a tag which exists in multiple XML
      namespaces could result in the tag being assumed to be from the
      incorrect XML namespace.

      Check the namespace prefix after 'xmlns' parsing has completed if
      any new XML namespace prefixes have been defined in this tag.

   3. Problem:
      Under high load situations, the TCP stack could fail to accept incoming
      TCP connections (e.g. HTTP, HTTPS, Telnet).

      Increase size of network memory pool.

   4. Problem:
      If the ResultClassName parameter to an association query is an unknown
      class name, it would treated the same as an unspecified class name.

      Correctly differentiate between an unknown ResultClassName and an
      unspecified one.

   5. Problem:
      User account passwords up to 64 characters are supported in the
      configuration records, but only 32 characters were used for HTTP

      Increase the support for HTTP passwords up to 64 characters.

   6. Problem (CQ 37093 and CQ 37094):
      Including <MethodResult> after a failed method would cause the firmware
      to crash.  
      Include NULL dereference checking to prevent this.

   1. Use recommended CIM interop namespace: "interop".

   2. Enable TCP server keep-alive packets (every 75 seconds) to detect broken
      TCP connections (after keep-alives with no ACK) and return TCP resources
      to the network memory pool, allowing new remote management sessions.
      This feature may be disabled in the BMCC Advanced Settings menu.

   3. USB Media redirection (over HTTP) support using DMTF USB Redirection 

      Requires BMCC v1.09+ to enable this feature.

   4. Graceful shutdown, restart, sleep, and hibernate support using DMTF
      profiles: Base Desktop and Mobile, Power State Management, and 
      OS Status.

      Requires BrcmMgmtAgent v1.09+ to utilize this feature.

   5. Remote out-of-band management firmware update support using the DMTF
      Software Update profile.

Version 1.02.0 - August 25, 2008

   1. Problem (CQ 36130):
      Watchdog PET erroneously transmitted after enabling or resetting
      management firmware.

      The watchdog timer is being re-enabled and reset (to ASF_SDT
      ASF_INFO.MinWatchdogResetValue) every time the management firmware
      is initialized or re-initialized.

      No longer re-start the automatic Watchdog counter any time the 
      management controller is reset.

      Only affects platforms where ASF_SDT->ASF_INFO.MinWatchdogResetValue
      is non-zero. 

   2. Problem (CQ 36131):
      Transmitted System Heartbeat Alerts (PETs) contain incorrect Entity ID
      value (0 instead of 23 decimal).

      The "chassis" Event Sensor Type was included in the 
      default PET heartbeat values rather than the "chassis" Entity ID.

      Fixed the Entity ID value used for PET system heartbeat messages.

   3. Problem (CQ 36134):
      Incorrect Event Source Type value in transmitted PETs (always 0x68, 

      The firmware routine that transmits a PET (over UDP/IP) also set the
      "Event Source Type" to 0x68, over-riding any value that was read from
      the ASF system description table (ASF_ALRT record) or pushed to the 
      management controller over the SMBus.

      The "Event Source Type" value read from the ASF_ALRT record or pushed to
      the management controller over the SMBus (e.g. in a "Push Alert" or 
      "Start Watchdog Timer" message) is now used in the transmitted PET.

   4. Problem (CQ 36138):
      Disabling the "HTTP GET" feature doesn't prevent web browser access to
      HTML interface.

   5. Problem (CQ 36169):
      Changes to the Enabled and Port properties of the 
      BRCM_OOBManagementHTTPSetting, BRCM_OOBManagementHTTPSSetting, 
      BRCM_OOBManagementRMCPSetting, and BRCM_OOBManagementSecureRMCPSetting
      classes do not take affect until a reset of the management controller.

      The HTTP and RMCP services must be recycled after changing the enabled
      state or the TCP or UDP port number.

      Automatically recycle the affected services when these property values
      are changed.

   6. Problem (CQ 36170):
      When using the CIM ModifyInstance() intrinsic of the 
      BRCM_OOBManagementHTTPSetting and BRCM_OOBManagementHTTPSSetting classes
      to modify the Realm property value, the property is not read back 
      properly if the new Realm property value (string length) is shorter than
      the previous value.

   7. Problem (CQ 36207):
      Console redirection session terminates during system power-on or reset
      if management firmware "Monitor DTR" option is enabled.

      A PCI reset causes all UART registers to be reset to 0. The firmware is
      (optionally) monitoring the UART MCR register for the DTR bit and if the
      bit goes low (drops), the firmware terminates the console redirection 
      (Telnet or SSH) session.

      Require DTR to be low for 10 ticks (100ms) before disconnecting.

   8. Problem (CQ 36208):
      ASF Watchdog PET erroneously transmitted after boot on some systems.

      BIOS does not send an ASF "Stop Watchdog" SMBus message, expecting that
      when the OS device driver loads, this will stop any pending watchdog
      timer. Legacy (pre-BCM5761) management firmware would automatically stop
      the watchdog timer, but this behavior was not implemented in the BCM5761
      management firmware.

      When the OS device driver for the network/management controller loads,
      any pending ASF watchdog timer (either started by the BIOS or
      automatically via ASF_SDT->ASF_INFO.MinWatchdogResetValue) is stopped.

      For platforms where the BIOS does not stop the ASF watchdog timer, if
      the OS device driver for the network/management controller is not
      loaded, a watchdog expiration PET may be transmitted by the management

   9. Problem (CQ 36219):
      Short (<12 hour) DHCP leases expire without renewal when OS-absent.

      The DHCP lease renewal (rebind) time was hard-coded to 12 hours.

      Change DHCP rebind time to 7.5 minutes when in DHCP mode and switching
      from OS-present to OS-absent.

   10. Problem (CQ 36221):
       Changes to BRCM_OOBManagementSecureRMCPSetting values not saved to

       Firmware did not update RSP configuration record in NVRAM.

       Save modified RSP configuration record to NVRAM.

   11. Problem (CQ 36222):
       DHCPEnabled incorrectly returns True in BRCM_OOBManagementIPv4Setting

       Firmware inadvertently returned the Enabled property value instead of
       the DHCPEnabled property value.

   12. Problem (CQ 36227):
       HTTPS fails after running overnight with batch file that toggles
       Enabled property.

       Problem (CQ 36264):
       HTTPS stress (repeatedly performing WinRM identify) eventually
       (24+ hours) fails to respond.

       Memory leaks in TLS/SSL library.

   13. Problem (CQ 36230):
       SSH text console redirection APE GRC reset mutex lock.

       When SSH text redirection is active, console redirection task is
       always running, so in SSH processing disable GRC reset mutex lock
       protection, so other host entities (e.g. B57diag) may obtain GRC reset

   14. Problem (CQ 36231):
       RMCP support still enabled after disabling in 

       Firmware was not setting the Enabled property of 
       BRCM_OOBManagmentRMCPSetting and BRCM_OOBManagmentSecureRMCPSetting
       classes properly.

   15. Problem (CQ 36285):
       Wrong date/time from CurrentDateTime property of 
       BRCM_OOBManagementService instance.

       Firmware was reporting the time zone offset with the wrong polarity.

       BrcmMgmtAgent did not account for the daylight savings bias when
       reporting the time zone bias to the firmware.

   16. Problem (CQ 36316):
       3 heartbeat events are sent consecutively when going in or out of 
       standby (S3).

       With heartbeat interval set to 10 seconds, and the retry interval set
       to 20 seconds, if the initial connect to send a heartbeat message 
       fails for any reason, after 20 seconds, two more heartbeat events are
       generated.  The management firmware then does a successful connect()
       and at that point has three heartbeats scheduled for delivery.

       Stop heartbeat timer while in the process of sending an event and 
       restart it after the event is sent successfully.

   17. Problem (CQ 36328):
       Loss of IPv6 connection when IPv4 is disabled because it requires a 
       apectl -r.

       When IPv4 is disabled, device is marked down, so IPv6 traffic can't get
       Device is marked up by IPv6 only during initial init while auto-config
       link local address.

       Mark device up when adding new IPv6 address to device (for static IPv6
       config) or when start of DHCPv6 process.

   18. Problem (CQ 36363):
       Clearing default gateway in management configuration does not remove
       default routes in management firmware (for both IPv4 and IPv6).

       When IPv4/v6 configuration is changed, before removing old IP from
       device, remove default routes first.

   19. Problem (CQ 36370):
       External TLS/SSL Certificate and Private key configuration changes do
       not take effect.

       The management firmware is not automatically recycled when these
       configuration records are changed.

       Add check for Certificate and Private Key changes in configuration
       change event handling.

   20. Problem (CQ 36371):
       No IPv6 management connection while in PXE image menu.

   21. Problem (CQ 36384):
       Web page output corruption.

       Unaligned NVRAM reads of less than four bytes total would be incorrect.

   22. Problem (CQ 36386):
       Long hang then crash when accessing CIM_EthernetPort.NetworkAddresses
       via web interface.

       Insufficient array bounds checking on array property.

       Fixed CIM_EthernetPort implementation and added checks in web server 
       code to prevent future crashes to the same issue in other classes.

   23. Problem (CQ 36396):
       Web interface does not work with index files in subdirectories.

       Trailing slashes were being removed from URIs before filename matching.

       Do not strip a trailing slash from URIs before matching filenames.

   24. Problem (CQ 36400):
       CIM_BIOSString has no ElementName property value.

       ElementName was not in the CIM_BIOSString property order array.

       Added ElementName property to CIM_BIOSString property array.

   25. Problem (CQ 36412):
       CIM_BIOSServiceCapabilities.SupportedPasswordEncodings has incorrect

       CIM_BIOSServiceCapabilities.SupportedPasswordEncodings value returned
       was a string when it should be a uint32 array.

       Changed the value returned to a uint32 array.

   26. Problem (CQ 36458):
       TCPProtocolEndPoint property ProtocolIFType showing wrong values.

       Modify code to return correct value for ProtocolIFType property.

   27. Problem (CQ 36469):
       CIM_SoftwareIdentity instances report incorrect network driver versions.

       Firmware misinterpreted the driver's type field as part of the revision

   28. Problem (CQ 36509):
       No management connection after PXE driver unload when connect thru 
       10/100 switch

       When PXE driver unloads, MAC mode register is set to GMII, so if a 
       10/100 switch is used, no network traffic will get through.

       MAC mode register is being updated for PHY mode only upon link state
       change and when attachment of new IP interface. When PXE driver
       unloaded, no link state change occurs, so MAC mode register is not 
       being updated.

       Update MAC mode register when driver state change (unload) so correct
       PHY mode is being set.

   29. Problem (CQ 36547):
       Incorrect PLDM communications from BIOS may cause management firmware
       to crash.

       BIOS was sending a BIOS Attribute Value table that was erroneous. 
       The management firmware crashed while trying to parse the table.  
       Modified firmware to handle erroneous values in the table and not store
       the table to NVRAM.

   30. Problem (CQ 36550):
       Continuously toggling the SSH SAP on and off, SSH and TLS will
       eventually stop responding.

       Memory leak in SSH server.

   31. Problem (CQ 36595):
       RMCP System State Response does not match BIOS ASF Set System State

       Management firmware was setting ASF system state to "unknown" for every
       power state change thus clearing out BIOS reported system state.  
       Modified to check if power state changed to VMain then set ASF system 
       state to "unknown" only if the current system state is not S0 and if 
       power state changed to Vaux then set ASF system state to "unknown" only
       if it is S0.

   32. Problem (CQ 36642):
       RMCP ACK is not sent for remote power-down or power-reset

       RMCP library was issuing remote control command (SMBus message) before
       sending RMCP ACK. The ACK would be lost while the Ethernet link was
       down due to the power state change.

       Fixed by sending RMCP ACK (if requested) before sending the SMBus
       message to the system remote control device (e.g. chipset).

   33. Problem (CQ 36652):
       On some systems, management firmware may intermittently hang during

       CQ 35446.

       Increase delay before performing GRC register accesses.

   34. Problem (CQ 36754):
       NIC installed with USB connected, Windows Device Manager shows 
       "Unknown Device" warnings on S3 resume.

       NIC firmware does not drive GPIO2 low (USB detach), so GPIO2 is 
       floating high.

       Advertise USB support to boot code, when supported (in v1.10) and
       drive GPIO2 low.

       Requires BCM5761[E] "boot code" firmware v3.63 or later.

   35. Problem (CQ 36753):
       System powered with no memory and connected a Gb link, no management
       traffic is supported.

       BCM5761 core clock is running at 6.25MHz instead of 62.5MHz. 
       Even though the system is in VMain the device has not completed it 
       power state transition into D0 until bit 1 of the PCIE config register
       0x4 is set by the BIOS.  Since there is no system memory the BIOS is 
       not running normally and is not setting this bit.

       Added check in power transitioning state to advertise speed of
       10/100M so we do not link at Gb.

   36. Problem (CQ 36755):
       After power off from SMI, heartbeat sequence gets reset to 1.

       The management controller is being reset due to an ungraceful PME
       turn-off event. The PET sequence number is stored in scratchpad memory
       which is re-initialized as part of the reset.

       Store the current PET sequence number in the management controller
       shared memory region and retain the value across APE resets.
       Other negative effects of a management controller reset due to an 
       "SMI power-off" will remain.

   37. Problem:
       Firmware did not function when imported private key was > 609 bytes.

       Only 609 bytes were allocated for the TLS/SSL/SSH private key, but an
       imported key may be (slightly) bigger.

       Allocate 624 bytes of memory for TLS/SSL/SSH private key storage.

   38. Problem (CQ 36884):
       InstanceID BRCM:1.14 is missing ElementName.

       Profiles not implemented for TruManage 1.0 are defined before the 
       terminator entry which causes a CIM_RegisteredProfile and 
       CIM_ReferenceProfile pair to be generated.

       For TruManage 1.0 builds, place USB Redirection and Software Update
       profiles after the array terminator.

   39. Problem (CQ 36653):
       Able to create OpaqueManagementData instances with MaxSize value of 0.

   40. Problem (CQ 36522):
       Firmware stops after subscribing to events over IPv6.

       NULL dereference in IPv6 stack when a globally scoped address is used
       but no default route has been configured.

       Add check for a NULL default route before dereferencing.

   41. Problem (CQ 36415):
       Management connection is lost when restarting system.

       When host is restarted, a PCIE reset will occur. Management firmware
       will receive interrupt at the falling edge and rising edge of
       transition, and reinitialize tx/rx state machine.  The interrupt is 
       cleared at the end of ISR, this causes some machines with short PERESET
       low durations to lose the interrupt for rising edge, so tx/rx state 
       machines are left disabled.  

       The fixes for CQ 35446 and 36652 inject additional delays into ISR, 
       which magnifies the problem.  
       The solution is to clear interrupt once interrupt value is read before
       any other processing in interrupt service routine.
   42. Problem:
       We do not support the Disabled state with 
       CIM_Account.RequestStateChange() method.
       Return an error rather than success and still take no action.

   43. Problem:
       Existing roles were not reset when creating a new user account.

       Clear old roles when creating a new user.

   44. Problem:
       More than one non-namespace selector in the EPR would always cause a
       Pull to fail.

       Verify the number of selectors after the entire EPR selector block has
       been parsed.

   45. Problem:
       WS-Identify response reported DASH 1.0.0 support.

       Report DASH 1.1.0 support in WS-Identify response.

   46. Problem:
       Invalid initial values for last known state of numeric sensors.

       Use valid initial values of the last known state for numeric sensors.

   47. Problem:
       HTTP-GET "if modified since" requests did not work as expected.

       Reverse HTTP-GET "if modified since" checking logic.

   1. DHCPv6 support.

   2. Automatically restart PET heartbeat timer upon completion of DHCP
      negotiation or external modification of PET configuration record.

   3. Construct the Address value of sent EPRs from the value in the Host
      header included with the request.

   4. For CIM_PhysicalDevice instances for which we get an Asset Tag from
      the SMBIOS table, populate the UserTracking property with the asset tag.
      The only SMBIOS asset tag we do NOT expose is the one for the power 
      supply since it has no corresponding physical device.

Version 1.00.0 - June 28, 2008

   1. Problem (CQ 36020 and CQ 36070):
      Various b57diag operations (e.g. "nictest") would cause the management
      firmware to not transmit or receive management packets. A system full
      A/C power cycle was required to recover the management capability.

      b57diag uses the APE shared memory to gracefully halt the APE, but does
      not deposit a valid "driver state" value. The APE firmware inspects
      this area of the shared memory during initialization to determine if the
      driver (and thus, the host OS) is running. If the "driver state" value
      was invalid, the OS was assumed to be running in which case the firmware
      does not transmit or receive DHCP or ICMP packets.

      Assume the OS is absent when an invalid "driver state" is found in the
      APE shared memory during initialization.

   2. Problem (CQ 36074):
      CIM_ComputerSystem.Dedicated value indicates Desktop (32) instead of 
      Laptop (33) on mobile systems.

      Erroneous mapping of SMBIOS structure information to CIM property value.

      Fixed the mapping.

   3. Problem (CQ 36080):
      CIM_RoleBasedAuthorizationService.ModifyRole() method fails with return 
      value of 2 when attempting to modify role with many privileges.

      XML Namespace parsing did not reuse previously allocated strings causing
      an out of memory condition.

      Optimized XML namespace parsing to allow multiple duplicate namespace 
      declarations using significantly less memory.

   4. Problem:
      ICMPv6 (neighbor discovery) packets were transmitted by the firmware
      even when IPv6 was disabled in the configuration.

      IPv6 was always enabled for the network device during firmware 

      Only enable IPv6 in the device initialization when IPv6 is enabled in
      the management firmware configuration.

      Changing the IPv6 enable/disable state now causes the firmware to
      self-reset (gracefully).

   5. Problem:
      Malformed (invalid base64-encoded) WS-Management requests could cause
      firmware crash.

      Lack of base64 decoding failure checking.

      Check that the base64 decode is successful before using the result.
   6. Problem:
      ASF SMBus boot options requests stopped working as of v0.97.0.

      Excessive processing in the SMBus interrupt handler to support
      WS-Eventing boot progress event subscriptions.

      Optimized handling of SMBus boot options requests.

   7. Problem:
      PLDM over shared memory would stop working after APE reset.
      "BIOS POST complete" state flag value was not maintained across APE

      Store this state flag in the APE shared memory.

   8. Problem:
      When using SMBus ARP, SMBus communications would stop working after
      APE reset.

      ARP-assigned SMBus addresses were not maintained across APE resets.

      Store SMBus ARP state (including assigned addresses) in APE shared

   9. Problem:
      Various CIM Association Instances existed with invalid endpoints.

      Validate endpoints before creating association instances.

  10. Problem:
      Incomplete OMData write when writing beyond an NVRAM page boundary.

      Unhandled boundary condition.


  11. Problem:
      Invalid XML DateTime and Duration representation in WS-Management

      Invalid XML generation.

      Add the appropriate XML child tag.

  12. Problem:
      Various CIM class instances would exist when unsupported by the system
      or the configuration.

      Instantiating classes without first validating support.

      Validate support for classes before instantiating them.

  13. Problem:
      When the firmware was halted by b57diag (e.g. during tests, NVRAM 
      programming, or with the "apectl -h" command), the GRC Reset mutex was 
      left locked by the firmware until reset.

      The GRC Reset mutex was locked before checking for the shared memory
      halt request signature during initialization.

      Lock the GRC Reset mutex after the checking of the shared memory for
      the halt request signature during firmware initialization.

  14. Problem:
      Boot progress events WS-Eventing subscriptions did not function.

      ASF boot options SMBus responses contained incorrect IANA enterprise
      number when subscriptions for boot progress events existed.

      Fixed the encoding of the ASF IANA enterprise number.

  15. Problem:
      Watchdog 2 PET Alerts would be transmitted by the firmware even though
      the watchdog timer had been stopped by the system (e.g. BIOS).

      The watchdog timer was never stopped.

      Stop the watchdog timer when the ASF "Stop Watchdog" SMBus message
      is received by the MC (e.g. from the BIOS).

  16. Problem:
      Received Telnet CR/NUL sequence in Telnet Server did not translate to
      carriage return (ASCII 13).

      The NUL character was not stripped.

      Translate a received CR/NUL sequence to ASCII 13 in the Telnet server.

  17. Problem:
      Dynamic enabling/disabling of SSH Text Console Redirection SAP would
      cause the Telnet port to not accept incoming connections.

      Receive filter management.

      Fixed the management of the SSH and Telnet receive filters.
  18. Problem:
      Modifying CIM Boolean property values did not work.

      Incorrect value parsing.

      Fixed CIM Boolean value parsing.

   1. WS-Eventing Filter Collections now allow subscriptions to all possible
      combinations of event classes.

   2. Consistent and unique CIM InstanceID, DeviceID, and Tag property values.

   3. CIM Alert Indications: Added support for generic event type mapping.

Version 0.99.0 - June 20, 2008

   1. Problem (CQ 35977):
      Unable to view instance of BRCM_OOBManagementService using DashMgmtCon.

      BRCM_OOBManagementService UpTime and CurrentTime properties are CIM
      DateTime properties and the firmware did not support converting DateTime
      values to strings.

      Implement DateTime to string conversion in firmware.

   2. Problem (CQ 35933):
      Execution of CIM_AccountManagementService.CreateAccount() method will
      crash firmware if INPUT Account Template contains no key values.

      NULL pointer passed to create function of AccountTemplate has no

      Added handing for AccountTemplate instance with no properties.

   3. Problem (CQ 35965):
      Unable to read Opaque Management Data instance data larger than 6 bytes.

      Not enough memory was allocated to hold the read OMD data back out.

      Fix limit on size of output parameter in WS-Man/SOAP server.

   4. Problem (CQ 35884):
      Intermittently sends out 3 consecutive WS-Man heartbeat events.

      Similar symptoms found when the event pipe contains heartbeats from a
      previous subscription.  Can only be reproduced by doing a manual
      unsubscribe then resubscribing after the heartbeat interval but before
      the connect/retry timeout.

      Timing sensitive problem with stale heartbeat indications fixed.

   5. Problem (CQ 34883):
      No host or management traffic when Linux tg3 driver is loaded.

      Link down and link up event happen, firmware was reading wrong link 
      up/down value from MII register, which causes device flag to stay down.

      Read CPMU status register in firmware to determine current link up/down

   6. Problem:
      Linear slow down in TCP session handling for every TCP socket created.

      TCP/IP stack select() implementation bug.

      Use poll() implementation instead.

   1. OpaqueManagementDataService:
      Changed the CIM_OMDService class to allow non-Admin user to execute the
      OMDRead, Write, etc.  This will allow the testing of 
      CIM_OpaqueManagementDataService.SetAssocatedPrivilege() method properly.

   2. BRCM_OOBManagementService:
      a. Make DHCPEnabled property read only in BRCM_OOBManagementIPv4Setting
         and BRCM_OOBManagementIPv6Setting classes
      b. define all services that are dependent upon the 
         BRCM_OOBMANAGEMENTSERVICE class in the CIM_ServiceServiceDependency
         association class. 
      c. Updated CIM_RegisteredProfile class to reflect the Broadcom OOB
         Management Service Profile.
      d. Changed BRCM_OOBManagementSecureRMCPSetting Key properties to 
         uint_8[] OctetStrings.

Version 0.98.0 - June 13, 2008

   1. Problem (CQ 35765):
      With account encryption enabled, modifying an account property caused
      all the properties of the account to revert back to default values.

      Problem (CQ 35768):
      With account encryption enabled, CIM_AccountManagementService
      .CreateAccount() would cause a loss of management connection.

      Account records were being inadvertently changed to un-encrypted records
      whenever modified.

      No longer change record attributes when saving account record changes.

   2. Problem (CQ 35784):
      CIM_TCPProtocolEndpoint instances to not have a unique key value.

      Name property was not unique.

      Fix generation of Name property.

   3. Problem (CQ 35876):
      Missing CIM_AssociatedSensor class.

      Not implemented.

      Added implementation of CIM_AssociatedSensor class.

   4. Problem:
      The emulator crashes when an associators/associatorNames without any 
      filtering for the following object path.  

      Infinitely growing enumeration context.

      Validate enumeration context against the pull selector set.

   5. Problem:
      CIM_RegisteredProfile.InstanceID values should not use CIM as a prefix. 
      Per the MOF description of InstanceID, the prefix should be "Broadcom"
      or some other copyright value. 

      Do not prefix InstanceIDs with CIM: unless the instance is defined in a
      MOF from the DMTF

   6. Problem:
      CIM_RegisteredProfile.AdvertiseTypes/AdvertiseTypeDescriptions was not 
      meant for scoping algo. It is meant for protocol level discovery. 

      Set CIM_RegisteredProfile.AdvertiseTypes to 2 and no longer set a
      value for AdvertiseTypeDescriptions.

   7. For the ManagedElement property, added service class instance for 
      Opaque Management Data and OOB Management Service profiles.

   8. Added HostedService association to the BRCM_OOBManagementService class.

   9. Problem:
      APE "GRC Reset" mutex locking errors in b57diag.
      GRC Reset Mutex is released while generating self-signed SSL certificate
      and private key.

   1. Added BRCM_OOBManagementServiceCapabilities class.

   2. Added reloading of PLDM BIOS and SMBIOS meta records when there are any
      changes to the DASH config file.

   3. Added missing properties to BRCM_OOBManagementService.

   4. Added CIM_AssociatedCooling class.

Version 0.97.0 - June 6, 2008

   1. Problem: (CQ 35270)
      There is an instance of CIM_RunningOS even when the host OS (e.g.
      Windows) is not running.

      Management firmware was erroneously basing the OS Enabled status
      on the ASF System State being S0 rather than network controller driver

      The CIM_RunningOS instance will only exist when the host OS (e.g.
      Windows) driver is present and has communicated its status to the
      management firmware.

   2. Problem: (CQ 35334)
      CIM_ComputerSystem.RequestStateChange method invocation with
      RequestedState parameter set to 2 (power-up), returns 2 (failure) on
      some platforms.

      ASF SMBus message sent to the remote control device after a
      GPIO/LOMAlert initiated power-up was being NAK'd.

      If VMain is restored within one second after the GPIO/LOMAlert assertion
      event, do not send the ASF SMBus message to the remote control device
      servicing the power-up function advertised in the system's ASF_RCTL

   3. Problem: (CQ 35444)
      Text console redirection sessions using the SSH protocol would drop.

      When characters were received very quickly by the network controller's
      UART, SSH would fail due to a short socket send() result.

      The send() function used by SSH will now retry the send when a short
      send or EWOULDBLOCK is detected.

   4. Problem (CQ 35476)
      Changing Text console redirection CIM_TCPProtocolEndpoint.PortNumber
      property value set incorrect value.

   5. Problem (CQ 35530)
      Invocation of CIM_RoleBasedAuthorizationService.ShowRoles() method
      returns 2 when INPUT.subject = NULL.

   6. Problem (CQ 35633)
      Continue to receive WS-Eventing heartbeats after deletion of listener

   7. Problem (CQ 35751)
      Unable to authenticate after encrypting account records.

   8. Problem (CQ 35752)
      Microsoft DHCP server allocating 2 IP addresses for the same system when
      DHCPv4 is enabled in the Windows network stack and in the management

      Management firmware was using an RFC4361-based "client-identifier" DHCP
      option value while Windows was using an RFC2131-based value. This caused
      the Microsoft DHCP server to consider the different DHCP clients as
      different systems and assign them each a separate IP address lease.

      Management firmware now uses the RFC2131-based "client-identifier" DHCP
      option value.

   1. Sensors CIM Profile support on platforms that support PLDM Sensors
      (Monitor & Control) and Broadcom-defined SMBIOS extensions.

   2. Opaque Management Data CIM Profile support.

   3. PET destination address may be IPv6 address or hostname.

   4. Additional support for Broadcom OOB Management Service CIM Profile.

   5. Support for HTTP basic authentication during WS-Eventing Push delivery.

   6. 2x CIM Enumeration performance improvement.

Version 0.96.0 - May 15, 2008

   1. Problem: (CQ 35090)
      System does not power up when 
      CIM_ComputerSystem.RequestStateChange(RequestedState=11) is invoked
      as required by DSP1058
      ASF_RCTL entries are used for power control.  The ASF spec does not
      define the actions of power reset when in S4 or S5 states, and on
      some platforms the system does not power up.
      When the system is in S4, S5, or Legacy Off states, issue a power
      up command rather than a power reset command.
      Fixed behavior of CIM_ComputerSystem.RequestStateChange() for all
   2. Problem: (CQ 35335 and 35238)
      CIM_ComputerSystem.RequestStateChange(RequestedState=3) returns
      incorrectly formatted message
      A flaw in the TCP stack implementation could cause the same data to
      be sent multiple times if link is lost while in the send() call
      Fix TCP stack to prevent duplicate sends.
      Connections can now persist across link state and routing table

   3. Problem: (CQ 34884, 34950 and 35072)
      APE can hang under specific circumstances.
      Contention accessing GRC registers while the GRC is being reset by
      another entity (e.g. diag or driver) or external event (e.g. power-state

      Mutex-protect the GRC registers/reset.

      Requires NDIS6 v10.96 or NDIS5 v10.83 and b57diag v11.06.16 or later.

   4. Various BIOS Management and Boot Control CIM Profile fixes.

   1. IPv6 supported using static IP address and stateless auto-configuration
      with link local address. OS network stack IPv6 configuration propagation
      (e.g. with bmcc or BrcmMgmtAgent) not yet supported.

   2. Hostnames supported in WS-Event subscription "NotifyTo" address.

   3. Text Console Redirection CIM Profile support.

   4. SSH protocol for console redirection support.

   5. Dynamic configuration changes supported (without resetting APE).

   6. Offline web data support (in APE_WEB_DATA NVRAM directory entry), so
      large (e.g. > 32K) web data is now supported. Requires b57diag v11.06.16
      or later to import the BMCFG_RECORD_WEBDATA record from a dashfw.cfg
      file into the APE_WEB_DATA NVRAM directory entry using the "mancfg -i"
      command. Use the "bmcc web" command to import web file(s) into a
      dashfw.cfg file. The dashfw.exe firmware emulator may be used to
      test/view the web data embedded in the dashfw.cfg file.

   7. The System Memory CIM_Memory.ConsumableBlocks value is now derived from
      what Windows reports when "bmcc sync" or BrcmMgmtAgent is executed.

Version 0.95.0 - April 16, 2008

   1. Problem:
      Telnet Server (for Text Console Re-direction) does not function.

   2. Problem: (CQ 33985)
      Loss of management traffic connection after NDIS driver is disabled.

   3. Problems with SMBus ARP fixed.  Including Get UDID return 0s.

   4. CIM_BIOSPassword will return values for properties CurrentValue
      and PendingValue if it exist.  Before was always returning empty array.

   5. Problems with Boot Control Profile implementation fixed.

   6. Only advertise BIOS Management Profile if there is a CIM_BIOSAttribute

   7. Problem:
      Console side recv() processing delay.
      Due to the design of the TCP stack, the TCP PUSH flag was sometimes not
      set for the last packet in a response.  This caused the console side to
      begin a timeout waiting for a packet with the PUSH flag set.
      Ensure PUSH flag is set for the last packet of the response.
      Fixes console side recv() delay
   8. Problem:
      Console side transmit delay.
      The firmware was using the RFC recommended 200ms ACK timeout for delayed
      ACK.  At the same time, the console left Nagle's Algorithm enabled on the
      socket.  Further, the request contained more than MSS bytes.  Because of
      Nagle, the console was waiting for the ACK from the previous packet
      before sending the next packet.  The firmware was waiting for 200ms for
      data to be sent to the console (TCP Delayed ACK enabled).  This caused a
      needless 200ms delay before the last packet of a request was sent from
      the console.
      Lower Delayed ACK timeout to 2ms.
      Fixes console side transmit delay.

   9. Problem:
      CIM_ConcreteComponent EPRs missing most of the key values
      CIM_ConcreteComponent internal MOF representation did not contain the
      correct key qualifiers for the class
      Set key qualifiers correctly
      CIM_ConcreteComponent EPRs now correct
  10. Problem:
      AssociatedInstance queries can not cross namespace boundaries.  This
      results in a broken object model.
      The DMTF preliminary DSP0227 specification restricts all classes URI
      results to a single namespace.  This has the effect of constraining 
      AssociatedInstances query results which MUST be targeted to the all
      classes URI.  As a result, it is not possible to use this method to
      traverse cross namespace associations.
      Assuming that this will be fixed in DSP0227, we now constrain only the
      Object parameter to the specified namespace, not the results.
      AssociatedInstance queries now behave differently than previously and
      do not follow the current DSP0227 requirements.

   1. Firmware files (dash*.bin) are now digitally-signed (public key
      available) and use an IEEE standard CRC-32 for the file checksum

      You must use b57diag v11.06 (04/16/08) or later to program the
      firmware into the device's NVRAM (i.e. with the "seprg -a" command) or
      you will get an "invalid CRC" error and may not upgrade the firmware.

   2. Wait for Interrupt (WFI) power-saving feature can now be disabled
      persistently (e.g. using b57diag "mancfg->advanced" menu).

Version 0.94.0 - March 26, 2008

   1. CQ 34390
      ASF2.0 secure connection after 10 seconds, all management traffic stops.

   2. CQ 33983 
      With DHCP enabled, discovery methods and heartbeat PETs do not work.

   3. CQ 33908
      Management traffic does not resume after "bmcc enable".

   4. ASF "Set System State" SMBus message from BIOS did not work.

   5. "bmcc sync" caused firmware hang.

   6. Problems parsing association key values in header fixed.

   7. Problems handing Unsubscribe and Renew requests fixed.

   8. If an XML tag used a new XML namespace prefix and defined
      a default XML namespace, the tag was parsed using the new default
      namespace instead of the one specified by the prefix.

   9. EnumerationContext was incorrectly returned in a PullResponse when
      the EndOfSequence marker was present.

   1. Added OS Status CIM Profile support.

   2. Added CIM_OOBAlertService instance.

   3. Added CIM_EthernetPort instance.

   4. Support for PLDM BIOS over MCTP/SMBus based on PLDM for BIOS spec v0.5.0
      (2/4/2008).  Does not include support for MC/BIOS authentication.
   5. Support for SMBus ARP.
   6. Initial support for PLDM SMBIOS over shared memory based on PLDM for
      SMBIOS Specification version 0.5.0 (2/1/2008).
   7. Support for Boot Control Profile.
      You can use CIM_BootConfigSetting.ChangeBootOrder() and
      CIM_ElementSettingData.ModifyInstance() on the IsNext property to change
      the boot order.
      All changes are pending until system reset.
   8. Support for BIOS Control Profile.
      You can use CIM_BIOSService.SetBIOSAttribute() to change BIOS attributes.
      All changes are pending until system is reset.

   9. Returned EPRs now always include a namespace.

   10. Default (implementation) namespace is now named instead of anonymous.
       New name is "BRCM/implementation".

   11. The SubscriptionManager returned in a SubscriptionResponse is now the
       FilterCollectionSubscription instance which corresponds to the newly
       created Subscription.

   12. Association queries now cross namespace boundaries.

   13. CIM_RegieredProfile.RegisteredName properties no longer contain the
       word "Profile".

Version 0.93.0 - February 15, 2008

   1. CQ 33134
      ARP reply always contains MAC address 00:10:18:00:00:00.

   2. CQ 33152
      Force vaux link does not function properly on various platforms.

   3. CQ 33184
      Cannot obtain an IP from a DHCP server.

   4. CQ 33186
      B57Diag mancfg reports incorrect IP address when DHCP is set to enabled.

   1. Dynamic web (HTML) user interface content with modifiable property values 
      and method invocation (e.g. remote power control).

   2. WS-Eventing/indications subscription and delivery support.

   3. Date and time tracking.

   4. Additional CIM Profiles support.

Version 0.92.0 - December 12, 2007

   1. Firmware crash when NIC was jumpered for mission mode and there was
      no Ethernet link.
      Firmware was clearing CPMU policy register APE field which is reserved
      in some policies.

   1. Added default Web (HTML) user interface using static/canned pages
      for demo purposes only.
      This feature can be disabled by setting "b57diag mancfg" or
      "bmcfg edit" WS-Management->HTTP Get to "Disabled".

   2. HTTPS Basic authentication support can be disabled (for enhanced
      security) by setting WS-Management->HTTP Digest Authentication Only
      to "Enabled".

   3. Role Based Authorization Profile (RBAP) and Simple Identity Management
      Profiles (SIMP) should now be feature-complete:

      You can use ModifyRole(), ShowAccess(), ShowRoles(), Create/Delete

   4. Text Console (UART) Redirection via Telnet can be enabled using the
      "Console Redirection" mancfg menu (for demo/testing purposes).

      Since the CIM Text Console Redirection Profile is not currently
      implemented, you must set "Telnet Auto-Listen" to Enabled for this
      feature to work. A custom serial port driver is required for Windows and
      Linux to use the UART.

      SSH is not currently implemented.

   5. Initial support for PLDM-BIOS over MCTP/SMBus.

   6. Sets link speed based on configuration settings when in Vaux power mode.

   7. Implemented ASF/RMCP "best guess" system state function (based on
      OS/driver presence and VMain presence). CIM_ComputerSystem.EnableState
      and CIM_AssociatedPowerManagementService.PowerState also expose the
      current system state based on this best guess (if not set by the
      BIOS with the ASF "Set System State" SMBus Message).

/* End of File */
Download Driver Pack

How To Update Drivers Manually

After your driver has been downloaded, follow these simple steps to install it.

  • Expand the archive file (if the download file is in zip or rar format).

  • If the expanded file has an .exe extension, double click it and follow the installation instructions.

  • Otherwise, open Device Manager by right-clicking the Start menu and selecting Device Manager.

  • Find the device and model you want to update in the device list.

  • Double-click on it to open the Properties dialog box.

  • From the Properties dialog box, select the Driver tab.

  • Click the Update Driver button, then follow the instructions.

Very important: You must reboot your system to ensure that any driver updates have taken effect.

For more help, visit our Driver Support section for step-by-step videos on how to install drivers for every file type.

server: ftp, load: 1.75