B&R Firmware Version Management on B&R X20 Systems Without OEM Access
Overview
Maintaining B&R Automation hardware on machines from defunct OEMs means you have no service contract, no project source files, no Automation Studio license tied to the machine, and no support portal credentials. This guide covers how to inventory firmware versions, obtain firmware without a B&R customer account, understand compatibility between Automation Studio (AS), Automation Runtime (AR), and module firmware, safely update firmware on a production machine, and troubleshoot version mismatches.
The primary hardware target is the B&R X20CP1584 CPU (Atom 0.6 GHz, 256 MB DDR2, CompactFlash, POWERLINK V1/V2, Ethernet) and its associated X20 I/O modules, bus controllers, and ACOPOS drives. The CP1584 has been supported since Automation Studio V3.0.90.20 and runs AR versions in the standard (non-SGC, non-Embedded) track.
Audience: Automation engineers maintaining B&R X20 systems on machines where the OEM is gone and no documentation exists.
Related documents:
- firmware.md — General firmware concepts and inventory templates
- cf-card-boot.md — CompactFlash card boot procedure and recovery
- acopos-drives.md — ACOPOS servo drive firmware and parameter management
1. Understanding B&R Version Architecture
1.1 The Three-Layer Firmware Stack
B&R systems have three interdependent firmware/version layers:
| Layer | What It Is | Where It Lives | Example |
|---|---|---|---|
| Automation Studio (AS) | Development IDE running on your PC | Windows workstation | V4.10, V4.12, V6.0 |
| Automation Runtime (AR) | Real-time OS on the target CPU | CompactFlash (target) | E4.10, I4.12, D4.80 |
| Hardware Firmware | Module-level firmware on I/O, bus controllers, drives | Flash inside each module | X20BC0088 V1.05, ACOPOS V2.47 |
A mismatch at any layer prevents downloads, causes errors, or bricks modules.
1.2 Automation Runtime (AR) Version Naming Convention
AR versions use a prefix letter + version number format:
| Prefix | System Generation | Typical Hardware |
|---|---|---|
No prefix (e.g., 4.10) | Standard / Industrial PC / Power Panel | X20CP1584, Power Panel 500 |
E (e.g., E4.10) | Embedded | Panel PCs with embedded runtime |
D (e.g., D4.80) | Different platform target | Older B&R hardware |
I (e.g., I3.10) | Intel-based legacy platform | Older PLC systems |
N (e.g., N4.02) | Another platform variant | Specific Power Panel models |
F (e.g., F2.33) | SGC (System Generation Compact) | X20CP0291 and similar compact CPUs |
T (e.g., T2.80) | SG4 platform | Specific target systems |
For the X20CP1584: The runtime version will typically be in the standard track (no prefix, e.g., 4.10, 4.12, 4.90, 4.93) or may display as E4.xx on the boot screen depending on the firmware generation. Check the CPU’s boot screen or the System Diagnostics Manager to confirm the exact AR version string.
1.3 AS-to-AR Compatibility Rules
- Each AS version ships with a set of AR “upgrades” (runtime packages). The project specifies which AR version the target runs.
- AS version must be >= the minimum AS version that supports the chosen AR version.
- Newer AS versions can generally target older AR versions (backward compatible), but older AS versions cannot target newer AR versions.
- The AR upgrade must be installed on the development PC (via
Tools > Upgradesin AS) before you can build a project targeting that AR version. - Automation Studio 4.x targets AR 4.x. Automation Studio 6.x targets AR 6.x. These are NOT cross-compatible — an AS6 project cannot be downloaded to an AR4 target.
2. Determining Firmware Versions on an Existing System
2.1 CPU / Automation Runtime Version
Method 1: Boot Screen (No Tools Required)
When the X20CP1584 powers on, the boot screen displays the AR version briefly. Connect a monitor/keyboard or observe via serial console (IF1 RS232 at 115.2 kbps). Look for a line like:
B&R Automation Runtime N4.02
or
B&R Automation Runtime E4.10
This is the fastest way to identify the runtime version with zero tooling.
Method 2: System Diagnostics Manager (SDM) via Web Browser
- Determine the CPU’s IP address (check any network scanner, or try the default B&R range 192.168.1.x)
- Open a web browser and navigate to
http://<CPU-IP> - SDM shows detailed hardware/software info including:
- AR version
- CPU model and hardware revision
- All connected I/O modules and their firmware versions
- X2X Link topology and module status
- Battery status
- SDM works even when the PLC is in SERVICE mode
Method 3: Automation Studio — Online > Device Information
With AS connected to the target over Ethernet:
Online > Settings— confirm IP connectivityOnline > Device Information— shows target AR version, CPU model, serial number- Physical View shows each module with its firmware version in the properties panel
Method 4: Read AR Version from the CompactFlash Card
If you have the CF card removed from the CPU (see cf-card-boot.md):
- Mount the CF card on a PC
- The AR version is embedded in the boot configuration files on the card
- Look for the
BrAppDatadirectory and configuration files that reference the runtime version
2.2 I/O Module Firmware Versions
X20 I/O modules receive their firmware from the CPU during the download process. The CPU pushes the correct firmware to each module via the X2X Link bus.
Method 1: SDM (Recommended)
Via http://<CPU-IP> in SDM, the I/O tree shows each X20 module with its current firmware version and hardware revision.
Method 2: Automation Studio Physical View
When connected online (Online > Go Online), the Physical View displays each module. Right-click a module > Properties to see the firmware version running on the target vs. the version in the project.
Method 3: Module LEDs
While not version-specific, I/O module LED behavior indicates firmware mismatch:
- Blinking
r(red) LED: The module is in an error state, which can include firmware mismatch with the CPU’s expected version - Solid
rLED: Fatal error; module will not operate
2.3 Bus Controller Firmware (X20BC0083, X20BC0088)
Method 1: Web Server on the Bus Controller
For EtherNet/IP bus controllers (X20BC0088):
- Connect to the bus controller’s IP address via web browser
- Navigate to the Adapter Status page — Version Information section shows firmware version
- Login: default username
admin, passwordX20BC0088(case sensitive, model-specific)
Method 2: Automation Studio
When the bus controller is part of the AS project, its firmware version appears in the Physical View. If the BC is a standalone gateway not managed by a CPU, use the web interface.
2.4 ACOPOS Drive Firmware Versions
Method 1: ACOPOS Service Menu
On the drive front panel:
- Access the ACOPOS Service menu (procedure varies by drive model — consult acopos-drives.md)
- Navigate to the firmware/software version parameter
- The display shows the current drive firmware (e.g., V2.47)
Method 2: Automation Studio — Drive Parameters
When connected to the CPU controlling the drives:
- Open Hardware Configuration > Drive Parameters
- The parameter tree shows the drive firmware version
- Compare against the
.GDMfile version — open the GDM as text (right-click > Open With > Notepad) and search for theVprefix version string
Method 3: SDM
If drives are connected via POWERLINK, SDM at http://<CPU-IP> may show drive status including firmware versions in the motion diagnostic section.
3. Obtaining Firmware Without an Active Service Contract
3.1 The Access Problem
B&R’s download portal (br-automation.com/downloads) requires a login for most firmware files. Many downloads show “Login for download.” Without an OEM relationship, you face:
- No portal credentials
- No support ticket channel
- No access to firmware upgrade packages through official channels
3.2 Obtaining Automation Studio (Development Tooling)
90-Day Evaluation License (Recommended Starting Point)
- Go to
br-automation.com > Service > Software Registration - Register for an evaluation license — provides unrestricted AS functionality for 90 days
- After 90 days, you can request a new 90-day extension repeatedly
- The evaluation license gives you full AS access including
Tools > Upgradesto download AR packages - Limitation: Commercial use is technically not permitted under the evaluation license. For emergency maintenance on a machine with no OEM, this is your practical option.
Important: AS Version Selection
- AS 4.12 is the last version in the AS4 product line and supports all AR 4.x versions
- AS 6.x requires an AR 6.x target — incompatible with older X20 hardware running AR 4.x
- For the X20CP1584 running AR 4.x, install Automation Studio 4.12 (latest AS4)
- AS4.12 includes all hardware upgrades for X20 modules up to the AS4 end-of-life
Automation Studio 6.x Ecosystem (2024-2025)
B&R released Automation Studio 6.0 in mid-2024 as a major overhaul with a reimagined user interface and revised editing rules. Subsequent releases through AS 6.3 (June 2025) added significant new capabilities. AS 6.x does NOT replace AS 4.x — it is a parallel product line with a separate license. Projects from AS 4.x cannot be opened directly in AS 6.x; they must be ported using community migration tools.
| Release | Date | Key Changes |
|---|---|---|
| AS 6.0 | Mid-2024 | Complete UI overhaul, revised editing rules, compatibility mode for AS 4.x projects |
| AS 6.1 | Late 2024 | Stability fixes, expanded hardware support |
| AS 6.2 | Early 2025 | Multicore processing support for AR 6.x targets (core assignment per task) |
| AS 6.3 | June 30, 2025 | AS Code (VS Code-based editor, open beta), AS Copilot (AI assistant), hybrid library import, CLI tool for 3rd party device import, ST-OOP support |
| AS 6.4 | Late 2025 | Multicore ANSL communication tasks, hypervisor Windows 11 + efficiency cores, GPOS driver 2.1.0, FTP server port config, ManagedCertificateStore with ArMcsRecreateCert, Reader/Writer Locks, SMB 1.0 permanently disabled |
| AS 6.5 | Dec 18, 2025 | Hard real-time multicore (task classes assignable to specific cores), ST-OOP inheritance/polymorphism/access specifiers/abstract methods, FTP RBAC, ManagedCertificateStore extended to ANSL/FTP/HTTP/SMTP, TFTP default Off, self-signed certificate warning dialog, CLI library exporter (BR.AS.LibraryExporter.exe), SNI support in AsHttp, ArCert CSR generation, warnings-as-errors build option, removal of source file encryption, telemetry data collection |
| AS 6.5.1 | Feb 4, 2026 | Bugfix release. Fixes ST-OOP issues in PV Watch, ARM configuration build fixes for ST-OOP migration. Known issue: upgrade menu may not show latest upgrades (workaround: use “Local” tab). Some users report build crashes (6.5.1.17) — update to 6.5.2 if affected. |
| AS 6.5.2 | Mar 2026 | Bugfix release. Fixes upgrade service connectivity issues (AS 6.5.1 upgrade server problems), additional ST-OOP stability fixes. If using AS 6.5.x, update to 6.5.2 as minimum — 6.5.0 and 6.5.1 have known upgrade service issues documented in the B&R Community. |
AS Code is a VS Code-based editor fully compatible with AS 6 projects, offering modern editors for ST and C/C++, syntax error highlighting, minimap, multiline edit, dark/light themes, references/refactoring, and Git integration. It includes an AI assistant (AS Copilot) for code generation and commenting (ST only as of 6.3). AS Code requires PVI License (1TG0500.01) for smooth debug/transfer. AS 6.3 installs as an update to AS 6.1 — both versions coexist in compatibility mode.
Multicore processing (AS 6.2+): On multi-core AR 6.x controllers, cores can be assigned dynamically to AR or GPOS (Linux via exOS). Not applicable to single-core CP1584, but relevant for migration planning to newer B&R hardware.
Sources: B&R Community — AS 6.3 release, B&R Community — Multicore in AS6, B&R Community — AS 6 features
3.3 Obtaining AR Upgrades and Hardware Upgrades
Once you have AS installed with an evaluation license:
- Open Automation Studio
Tools > Upgrades- The Upgrade Manager connects to B&R’s server and downloads available:
- AR upgrades (runtime versions for the CPU)
- HW upgrades (firmware for individual hardware modules — I/O modules, bus controllers, interface modules)
- Install the upgrades you need — they are stored locally and can be used offline afterward
- Save these upgrade packages to external media for archival. If your evaluation license lapses before you need them again, having the upgrade files stored locally means you can install them on a fresh AS instance without re-downloading.
3.4 Downloading Specific Module Firmware Files
Some firmware files are available on the B&R website without login:
- Browse to
br-automation.com > Downloadsand filter by hardware type - Power Panel firmware upgrades are sometimes publicly downloadable
- Bus controller firmware (for web-update method) may be available via B&R support ticket or community
For firmware not available publicly:
- B&R Community Forum (
community.br-automation.com): Search for your module and firmware version. Community members sometimes share links or guidance. - Third-party industrial parts suppliers (EU Automation, all4sps, etc.): Sometimes provide firmware with refurbished modules
- B&R local sales office: Even without a service contract, a local B&R office may provide firmware files as a courtesy, especially for safety-related hardware
3.5 The CF Card as Firmware Carrier
When you download a project from Automation Studio to a target via Transfer, AS writes:
- The AR runtime image
- The application program
- All module firmware files
The resulting CF card contains everything the target needs. Back up every CF card you encounter — it is a complete firmware snapshot of the system.
4. Firmware Downgrade Paths
4.1 Can You Downgrade?
| Component | Downgrade Possible? | Method | Notes |
|---|---|---|---|
| CPU AR version | Yes | CF card rebuild with older AR, or Change Runtime in AS | May erase user data; re-transfer required |
| I/O module firmware | Yes (automatic) | CPU pushes firmware during download | Newer modules may not support very old firmware |
| Bus controller | Depends | Web interface (X20BC0088) or via CPU download | Some versions block downgrade |
| ACOPOS drives | Generally no | Not typically supported | Drive firmware is usually forward-only |
4.2 Downgrading the CPU Runtime
- In Automation Studio, open the project
Physical View > Right-click CPU > Change Runtime- Select the older AR version from the installed upgrades
- Re-transfer the project to the target — this will re-flash the CF card with the older runtime
- The CPU will reboot with the downgraded runtime
Warning: Downgrading the runtime may clear retentive data. Back up all parameters and recipes first.
4.3 Downgrading I/O Module Firmware
When you transfer a project to the CPU, the CPU automatically pushes the correct firmware to all modules on the X2X Link. If the project specifies an older firmware version for a module, the CPU will downgrade it during the transfer.
Known issue: Some very old firmware versions of bus controllers (X20BC0083, X20BC0088) are incompatible with modern web browsers. If you need to access the web interface for diagnostics after a downgrade, use an older browser or access via Automation Studio instead.
4.4 Interface Module Upgrade Requirements for CP1584
When replacing an X20CPx48x with an X20CPx58x, certain interface modules require a minimum hardware upgrade AND hardware revision. Key modules that may need upgrades:
| Module | Minimum Upgrade | Minimum HW Revision |
|---|---|---|
| X20IF1020 | 1.1.5.1 | H0 |
| X20IF1030 | 1.1.5.1 | I0 |
| X20IF1061 | — | E0 |
| X20IF1063 | 1.1.5.0 | — |
| X20IF1072 | 1.0.5.1 | — |
| X20IF1082 | 1.2.2.0 | — |
| X20IF2772 | 1.0.6.1 | — |
| X20IF2792 | 1.0.5.1 | — |
Modules not listed (X20IF1041-1, X20IF1043-1, X20IF1051-1, etc.) work without upgrade requirements.
5. Compatibility Matrix: AS, AR, and Module Firmware
5.1 How the Matrix Works
There is no single publicly-published table that maps every AS version to every AR version and every module firmware version. The compatibility information is distributed across:
- AS Release Notes — lists supported AR versions
- Hardware Upgrade Descriptions — each HW upgrade package specifies which AS version it requires and what modules it covers
- Product Data Sheets — show first/last supported AS version for each hardware item
- Automation Studio Upgrade Dialog — filters available upgrades by AS version
5.2 Practical Compatibility for X20CP1584
| AS Version | AR Versions Available | Notes |
|---|---|---|
| AS 3.0.90+ | AR 3.x | Earliest AS supporting CP1584 |
| AS 4.x (4.1–4.12) | AR 4.x (4.10, 4.12, 4.90, 4.93) | Primary target for CP1584 |
| AS 6.x | AR 6.x | Incompatible with AR 4.x targets |
Key principle: The CP1584 is a legacy X20 CPU. Its latest supported AR versions are in the 4.x series (up to 4.93). Automation Studio 4.12 is the last AS version that can target it.
5.3.1 AS4 to AS6 Migration (When Upgrading Hardware)
B&R has released Automation Studio 6 as the successor to AS4. AS6 targets AR 6.x and introduces a new project format, updated IDE, and shared upgrades. Migration from AS4 to AS6 is a one-way process — AS6 projects cannot be opened in AS4.
Community migration tools (free, open-source):
| Tool | URL | Purpose |
|---|---|---|
| as6-migration-tools | github.com/br-automation-community/as6-migration-tools | Python scripts that analyze AS4 projects and generate migration reports highlighting deprecated libraries, unsupported function blocks, and syntax changes |
| AS6 Conversion Tool | Built into AS6 | Official B&R conversion tool (File > Convert); requires AS4.12 project as input |
| BRLibToHelp | github.com/br-automation-community/BRLibToHelp | Parses B&R Automation Studio libraries and generates CHM help files — useful for documenting library dependencies before migration |
| SBOM Generator | github.com/br-automation-community | Generates CycloneDX 1.5 SBOMs from AS6 projects — useful for inventorying library usage |
Migration path for CP1584 users upgrading to newer X20 hardware (e.g., X20CP3484):
- Install AS4.12 (your current version) and AS6 side by side on the same PC
- Use as6-migration-tools on your existing AS4 project to generate a migration report
- In AS4.12, ensure the project is at the latest AS4 version (4.12)
- Open AS6 and use File > Convert to import the AS4.12 project
- Address any migration issues flagged by the conversion tool
- The converted AS6 project targets AR 6.x, which runs on newer X20 CPUs (CP3484, CP3584)
- See remanufacturing.md for the full hardware migration workflow
Key AS4 → AS6 changes affecting migration:
- mapp Framework 6 is now available for AS6 (see community.br-automation.com/t/mapp-framework-6-released-for-automation-studio-6-voting-started/10277)
- Shared upgrades: AS6 uses a central upgrade repository instead of per-version installs
- PVI 6.x drops INA2000 protocol support — only ANSL and SNMP lines are available (see pvi-api.md)
- OPC-UA configuration model updated; check namespace migration paths
- Some C library APIs may have changed — verify with the migration report
5.3 Checking Compatibility for Your System
- Determine the CPU’s current AR version (Section 2.1)
- Install AS 4.12 with evaluation license
- Install all available upgrades via
Tools > Upgrades— click the “Legacy” button to show older/supported packages - Create a matching project: In AS, when you add the CPU to the Physical View, the available runtime versions shown in
Change Runtimeare those compatible with that CPU - For each I/O module: The HW upgrade installed on the PC determines what firmware the project will push to the module. Ensure the HW upgrade for each module is installed
5.4 Safety Module Firmware Constraints
Safety I/O modules (X20SLx, X20SLXx) have additional firmware constraints:
- Only firmware versions listed in the FS certificates (Funktionssicherheit / Functional Safety certificates) are permitted
- FS certificates are available from the B&R website
- Using uncertified firmware on safety modules violates safety compliance — do NOT update safety module firmware without the correct FS certificate documentation
- If you encounter firmware mismatch warnings on safety I/O during bootup, check B&R community — some firmware versions generate false mismatch messages during boot that can be ignored if the module runs normally afterward
6. Safely Updating Firmware on a Production Machine
6.1 Pre-Update Checklist
Before any firmware update on a running production machine:
- Back up the existing CF card — image the entire CF card to a file using a card reader. This is your recovery path. See cf-card-boot.md for the backup procedure.
- Document all current versions — CPU AR version, every I/O module firmware, bus controller firmware, drive firmware. Use SDM or AS Physical View.
- Back up all parameters — ACOPOS drive parameters, recipe data, any retentive variables. Use AS to upload from target if possible.
- Verify AS version compatibility — the AS version on your PC must support the target AR version you plan to use
- Install required upgrades — AR upgrade and all HW upgrades on the development PC
- Schedule downtime — firmware updates require a full download cycle, which stops the application
- Notify operations — the machine will be unavailable during the update
- Have a fallback plan — the CF card backup allows you to restore the previous state if the update fails
6.2 Hot Download vs. Cold Download
Hot Download (Online Transfer Without Restart)
B&R supports downloading to a running system without stopping, under these conditions:
- The download does NOT require a runtime change
- The download does NOT require hardware configuration changes
- Only application code/logic is being updated
- Automation Studio determines whether a hot download is possible
When a hot download is possible, AS performs the transfer while the system continues running. The new code is activated on the next cycle boundary.
Cold Download (Full Download With Restart)
Required when:
- Changing the AR version
- Adding/removing/changing hardware configuration
- Updating module firmware
- Initial installation
The PLC will restart and re-initialize all I/O. Expect machine downtime of 2–10 minutes depending on configuration complexity.
6.3 Step-by-Step Firmware Update Procedure
Updating the CPU Runtime and Application
- Verify connectivity — AS
Online > Settings, confirm you can reach the target - Stop the target —
Online > Stop Target(or schedule during a maintenance window) - Change runtime if needed —
Physical View > Right-click CPU > Change Runtime - Install upgrades —
Tools > Upgrades, install AR and HW upgrade packages - Transfer —
Online > Transfer > Create File and Transfer(orTransfer All) - Monitor — watch the CPU LEDs:
- Green RDY/F double flash = system startup / firmware update in progress (can take several minutes)
- Solid green RDY/F = application running
- Red R/E = SERVICE mode (error or intentional stop)
- Warm restart —
Online > Warm Restartto start the application - Verify — confirm all I/O modules are online (check via SDM), check for error log entries
Updating Bus Controller Firmware (Web Method — X20BC0088)
- Connect to bus controller’s web server at
http://<BC-IP> - Navigate to
Advanced > BC Firmware Update - Login (default: admin / X20BC0088)
- Select the firmware file and click Start Download
- Wait for Download Progress to reach 100%
- Click Restart Bus Controller
- Verify on the Adapter Status page
Updating I/O Module Firmware
I/O module firmware is managed by the CPU during the download process. There is no separate firmware update procedure for X20 I/O modules:
- Ensure the correct HW upgrade is installed in AS
- Transfer the project to the CPU
- The CPU automatically pushes firmware to all X2X-connected modules
- If a module shows a firmware mismatch after transfer, verify the HW upgrade matches
Updating ACOPOS Drive Firmware
- Via Automation Studio: Connect to the CPU, open Drive Configuration, the firmware update happens as part of the download
- Via ACOPOS Service Tool: Direct serial connection to the drive for firmware updates independent of the CPU
- Warning: Drive firmware updates are typically one-directional (upgrade only). Confirm the new firmware is compatible with your ACP10/ACP10MC configuration before proceeding.
6.4 Recovery from a Failed Update
- Restore the backed-up CF card — insert the original CF card and power cycle. The machine should return to its pre-update state.
- If the CF card was corrupted during the update, use the CF card backup image to create a new card.
- If the CPU will not boot at all, set the mode switch to BOOT position and retry the transfer from AS.
7. Version Mismatch Symptoms and Resolution
7.1 Common Version Mismatch Scenarios
| Scenario | Symptom | Root Cause | Resolution |
|---|---|---|---|
| AS project AR != target AR | Transfer fails with version error | Project specifies a different AR than what is installed | Change Runtime to match target, or update target AR |
| Module firmware mismatch | Red blinking r LED on module; PLC logbook error 123416 | Module firmware doesn’t match what CPU expects | Transfer project again; install correct HW upgrade in AS |
| Standard library version mismatch | Compile error: “Module mtfilter has version V5.16 instead of required range V5.12” | Library version in project doesn’t match AS/AR version | Update library packages via Tools > Upgrades, or use correct AS version |
| AS version too new for AR | Target not found, or “No hardware” error | Newer AS cannot manage older AR targets | Install older AS version matching the AR generation |
| AS version too old for modules | Modules not listed in hardware catalog | HW upgrades for newer modules require newer AS | Install latest AS in the same major version line (e.g., AS 4.12 for AR 4.x) |
| Safety I/O false mismatch | Warning during boot but module runs normally | Known issue with certain safety module firmware versions | Verify in B&R community; ignore if module is operational and no real fault exists |
| Bus controller web interface issues | Cannot access BC web interface | Old BC firmware incompatible with modern TLS/browsers | Update BC firmware via Automation Studio download, or use older browser |
7.2 The “No Certificate” Problem
After upgrading AS (especially from v4.11 to v4.12.6 or to AS6), you may see a “No Certificate” status when trying to upgrade targets. This is related to B&R’s Technology Guarding cryptographic system. Resolution:
- Ensure the AS upgrade service has internet access (known issue in AS 6.5.2, fixed in 6.5.3)
- Reinstall the Technology Guard component
- Check that the evaluation license is active and valid
7.3 License Violation on Target
If the CPU’s RDY/F LED blinks yellow and the R/E LED blinks red simultaneously, this indicates a license violation. The application will not run. This typically occurs when:
- The AR version requires a license not present on the target
- The evaluation/runtime license has expired on the target
- A runtime feature (e.g., mapp components) requires additional licensing
Resolution: Upload the existing project from the target first (if possible), resolve the license issue, then re-transfer.
7.4 Configuration Version Mismatch
When trying to go online with a project that doesn’t match the target, AS will refuse the connection. The fix:
- Upload the configuration from the target (
Online > Upload) - Compare with the project offline
- Align the project to match the target, or vice versa
8. B&R Download Portal Access Issues for Non-Customers
8.1 What Requires Login
Most firmware files on br-automation.com require a B&R portal account. This includes:
- HW upgrade packages (module firmware)
- AR runtime upgrades
- Safety certificates
- Some product documentation
8.2 Workaround Strategies
| Strategy | How | Limitations |
|---|---|---|
| 90-day eval license | Register at br-automation.com/software-registration | Grants AS download; upgrade downloads work within AS |
| B&R Community Forum | community.br-automation.com — ask for guidance | Community members may provide firmware links or files |
| Local B&R office | Contact directly, explain the situation (defunct OEM, no support contract) | May provide files as a goodwill gesture |
| Industrial parts suppliers | EU Automation, all4sps, UsedBrAutomation | Some include firmware with module purchases |
| CF card archival | Back up every CF card you encounter | Pre-loaded CF cards contain the firmware that was running |
| Third-party forums | PLCTalk.net, Reddit r/PLC | Occasional file sharing, use at your own risk |
8.3 Self-Registration for Portal Access
As of recent B&R policy, anyone can register on br-automation.com for a basic account. The registration provides access to:
- Software downloads (including AS evaluation)
- Some firmware upgrade packages
- Product documentation and data sheets
- Automation Help (online documentation)
Register at: br-automation.com > Service > Software Registration
8.4 Downloading Firmware Via Automation Studio Tools > Upgrades
The primary method for obtaining AR runtime and hardware firmware packages is through Automation Studio itself, not the B&R website. This is a critical workflow for engineers without OEM support contracts:
How it works:
- Install Automation Studio (any version — evaluation license is sufficient for this purpose)
- Launch AS and go to Tools > Upgrades
- The upgrades dialog connects to B&R’s server and downloads a catalog of all available upgrades
- Select the target platform (e.g., “PPC5x” for X20CP1584) and browse available AR versions
- Click “Download Selected Upgrades” to download firmware packages to your local PC
- The downloaded packages are installed locally and become available for use in projects and online transfers
Important details from B&R Community (community.br-automation.com):
- The upgrade service accesses
https://www.br-automation.comto download files — your IT firewall must allow this - Downloaded files are temporarily stored in
C:\Temp(or extracted fromhttps://www.br-automation.com/addons_xml.zip) - The Windows service running the upgrade process needs rights to: access B&R homepage, download files to
C:\Temp, unzip files, and install them - If
Tools > Upgradesshows outdated or missing upgrades, delete everything inC:\Tempand restart the PC — this is the standard fix per B&R support - AS versions older than V4.6 have discontinued upgrade servers — if you need very old AR versions (3.0.x), you must use AS 3.0.90 or manually locate the upgrade files
Local upgrade installation:
If Tools > Upgrades > Online doesn’t work (no internet access, firewall issues, or discontinued service for older versions):
- Obtain the upgrade
.exeor.zipfiles from another source (colleague, archived backup, CF card extraction) - In AS, go to Tools > Upgrades > Local
- Point to the directory containing the upgrade files
- Install manually
With evaluation license:
Per the B&R Community, with an evaluation version of AS you can still download upgrades via Tools > Upgrades. The evaluation license is sufficient for this purpose. You must manually select and download the correct upgrade files.
8.5 Long-Term Firmware Archival Strategy
8.6 Known AR Version History for CP1584
This is a partial reconstruction of the AR version history relevant to the CP1584, compiled from community discussions, release notes, and field reports:
| AR Version | AS Version Required | Key Changes | Status |
|---|---|---|---|
| 3.0.90 | AS 3.0.90 | Initial CP1584 support (CPx58x migration from CPx48x) | Obsolete |
| 4.10 | AS 4.x | Major feature release for X20; widely deployed on CP1584 machines | Classic |
| 4.33 | AS 4.x | Enhanced OPC-UA, performance improvements | Classic |
| 4.80 | AS 4.x | OPC-UA FX, mappView improvements | Classic |
| 4.93 | AS 4.x (4.3.5+) | Latest AR 4.x; security patches (CVE-2025-11044, CVE-2025-3450) | Active |
| 6.x | AS 6.x | Next generation; requires hardware migration (CP1684 or newer) | Active |
Note: The jump from AR 4.x to AR 6.x is a generational change, not an incremental update. AR 6.x does NOT run on CP1584 hardware. The CP1584 maxes out at AR 4.93 (the latest AR 4.x release).
AR 4.93 is the recommended target for all CP1584 machines — it is the final AR 4.x release and includes all security patches. If your machine is running an older AR 4.x version, upgrading to 4.93 should be your first priority.
AR 4.93 upgrade packages for CP1584 (known filenames):
| Package | Filename | AR Version | Date | Size | Notes |
|---|---|---|---|---|---|
| Standard upgrade | AS4_AR_G0493_X20CP1584.exe | 4.93.x | 07/25/2023 | ~13 MB | Standard (no prefix) AR upgrade |
| Embedded upgrade | AS4_AR_E0493_X20CP1584.exe | E4.93.5.2 | 04/14/2023 | ~13 MB | Embedded variant (same hardware, different prefix) |
Note: Both
G(standard) andE(embedded) prefix variants exist for the CP1584 AR 4.93 upgrade. The correct one depends on which AR version string your CF card currently reports. Use the boot screen or SDM to check before downloading. If unsure, theG(no prefix) variant is the standard track for X20CP1584.
Since portal access can be revoked and OEM relationships don’t exist:
- Download and archive all upgrade packages from
Tools > Upgradeswhile you have AS access - Image every CF card immediately upon receiving a machine — store as
.imgor.isofiles - Document the upgrade chain — which AS version, which AR version, which HW upgrade versions for each module
- Store offline copies of Automation Studio installers — the installer contains the base upgrade set
- Maintain a version compatibility spreadsheet for each machine documenting the exact stack
9. Quick Reference Procedures
9.1 Complete Firmware Inventory (No Project Files)
1. Power cycle the machine, watch the boot screen — note AR version
2. Connect PC to machine network, scan for B&R devices (try 192.168.1.x)
3. Open browser to CPU IP — use SDM to catalog all I/O modules and firmware versions
4. If bus controllers are present, connect to their web interfaces for firmware info
5. For ACOPOS drives, check Service Menu for firmware version
6. Record everything in a firmware inventory log
9.2 Preparing a Development Environment From Scratch
1. Register for B&R evaluation license at br-automation.com
2. Download and install Automation Studio 4.12 (for AR 4.x targets)
3. Activate evaluation license via CodeMeter
4. Open AS, go to Tools > Upgrades
5. Click "Legacy" button to show all upgrade packages
6. Install the AR upgrade matching the target's current version
7. Install all HW upgrades — these cover module firmware
8. Create a new project matching the hardware configuration
9. Connect to the target and verify online access
9.3 Emergency Firmware Recovery
1. Power down the machine
2. Remove the CF card from the CPU
3. Insert the CF card into a PC card reader
4. Image the card (dd or Win32DiskImager) — save as backup
5. If you have a known-good CF image, restore it to the card
6. Reinsert CF card into CPU
7. Set mode switch to RUN
8. Power up — machine should return to the last known state
10. Troubleshooting Table
| Problem | First Check | Resolution Path |
|---|---|---|
| Cannot connect AS to target | Ping target IP | Check Ethernet cable, IP subnet, firewall |
| Target not found in AS | Online > Settings | Verify IP; mode switch must be in RUN |
| “No hardware” when going online | AS version vs AR version | AS version must match AR generation |
Module r LED blinking after transfer | Module firmware mismatch | Install correct HW upgrade; re-transfer |
| Transfer fails with version error | Project AR vs target AR | Change Runtime to match target |
| CF card not detected | CF LED on CPU | Try known-good CF card; check CF slot contacts |
| CPU stuck in SERVICE mode | Check PLC logbook via SDM | Address the error; warm restart from AS |
| Bus controller web interface not loading | Firmware too old for modern browsers | Update BC firmware via AS transfer |
| ACOPOS drive fault after AS transfer | Drive parameter mismatch | Re-transfer drive parameters; check .GDM version |
| Battery LED red | Backup battery depleted | Replace CR2477N battery within 1 minute |
Key Findings
-
The 90-day evaluation license is the primary access path. B&R’s self-service evaluation registration provides unrestricted AS functionality including
Tools > Upgradesfor downloading AR and HW packages. The 90-day window can be renewed indefinitely. This is the most practical method for non-customers to obtain firmware. -
Firmware lives in three layers. CPU (AR), I/O modules (HW firmware pushed by CPU via X2X), and drives (separate firmware). All three must be compatible for the system to function. Mismatches at any layer cause errors.
-
The CF card is a complete firmware snapshot. Backing up the CF card preserves the AR runtime, application, and module firmware references. This is your most important recovery asset. Archive every CF card image.
-
I/O module firmware is managed by the CPU, not individually. You cannot update a single X20 I/O module’s firmware in isolation — the CPU pushes firmware during the project transfer. The correct HW upgrade must be installed on the development PC.
-
AS 4.12 is the end of the line for X20CP1584. The CP1584 runs AR 4.x, and AS 4.12 is the last AS version in the 4.x product line. AS 6.x targets AR 6.x and is not backward compatible with AR 4.x targets. Always use AS 4.12 for these systems.
-
Version mismatches generate specific error patterns. Red blinking module LEDs, PLC logbook error 123416 for firmware mismatch, compile errors citing exact version ranges for library mismatches. Learn these patterns to diagnose quickly.
-
Downgrades are possible for CPU and I/O modules but not drives. CPU runtime can be changed via
Change Runtimein AS. I/O modules are automatically downgraded by the CPU during transfer. ACOPOS drives generally do not support firmware downgrade. -
Safety module firmware has legal constraints. Only firmware versions listed in the FS (Functional Safety) certificates are permitted. Never update safety module firmware without the correct certificate documentation. Some versions generate false mismatch warnings during boot — verify via B&R community before taking action.
-
The System Diagnostics Manager (SDM) is your best friend. Accessible via web browser at the CPU’s IP address, SDM provides complete firmware inventory, I/O topology, drive status, logbook access, and diagnostic tools without requiring Automation Studio or any B&R account. It works even when the PLC is in SERVICE mode.
-
Archive everything offline. Portal access, evaluation licenses, and community resources may not be available when you need them most. Store AS installers, upgrade packages, CF card images, and documentation on local media that is independent of any B&R infrastructure.
-
AR R4.93.5.2 is the latest available patch for CP1584. The V4.12 AR Upgrade package
AS4_AR_E0493_X20CP1584.exe(version 4.93.5.2, dated 2023-04-14) is the last known AR upgrade specifically for the X20CP1584. After applying this, the system is protected against CVE-2025-11044 (ANSL DoS), CVE-2025-3450 (SDM DoS), CVE-2023-3242 (Portmapper DoS), and CVE-2022-4286 (SDM XSS). However, CVE-2024-0323 (FTP weak TLS), CVE-2021-22275 (webserver buffer overflow), and the SA25P003 CVEs (CVE-2025-3449/3448/11498 — SDM session takeover, XSS, CSV injection) remain unpatched on all AR 4.x versions. -
B&R software lifecycle follows Active → Classic → Limited → Obsolete phases. Software/firmware maintenance starts during Active phase and continues through Classic. During Classic, B&R recommends not deploying new instances. The Limited phase ends production. See spare-parts.md for lifecycle details and remanufacturing.md for migration planning.
11. Complete CVE and Security Advisory Reference for AR 4.x
The CP1584 runs AR 4.x, which is the end-of-life firmware branch. Security patches are no longer being produced for AR 4.x. The following CVEs are known to affect AR 4.x systems. This is the definitive reference for understanding your security exposure.
11.1 CVEs Patched in AR 4.93.5.2 (Last AR 4.x Patch)
The AR upgrade package AS4_AR_E0493_X20CP1584.exe (version 4.93.5.2, dated 2023-04-14) is the last security update for AR 4.x on the CP1584. It addresses:
| CVE | CVSS | Component | Vulnerability | Status on AR 4.93.5.2 |
|---|---|---|---|---|
| CVE-2025-11044 | 7.5 (High) | ANSL Service | Denial of Service via crafted packet | Patched |
| CVE-2025-3450 | 7.5 (High) | SDM | Denial of Service via improper resource locking | Patched |
| CVE-2023-3242 | 7.5 (High) | Portmapper | Denial of Service via crafted request | Patched |
| CVE-2022-4286 | 6.1 (Medium) | SDM | Cross-site scripting (stored XSS) | Patched |
11.2 CVEs UNPATCHED on All AR 4.x Versions
These vulnerabilities remain unpatched on the CP1584 regardless of what AR 4.x version is installed. B&R has confirmed fixes only exist in AR 6.x+.
| CVE | CVSS | Component | Vulnerability | Impact | Mitigation |
|---|---|---|---|---|---|
| CVE-2025-3449 | 4.2 (Medium) | SDM | Session ID prediction — predictable session tokens allow session takeover | Network attacker can hijack SDM session | Disable SDM if not needed; place on isolated network segment |
| CVE-2025-3448 | 6.1 (Medium) | SDM | Reflected XSS — arbitrary JavaScript execution in browser | Attacker can execute code in victim’s browser via crafted URL | Use WAF; do not follow untrusted links to SDM |
| CVE-2025-11498 | 6.1 (Medium) | SDM | CSV injection — formula injection in exported CSV files | Attacker can inject formulas via crafted link to exported data | Do not open SDM CSV exports in Excel; use text editor |
| CVE-2024-0323 | 9.8 (Critical) | FTP Server | Use of broken/risky cryptographic algorithm (SSLv3, TLSv1.0, TLSv1.1) | Man-in-the-middle can decrypt FTP traffic including credentials and CF card backups | Disable FTP; use VPN for any FTP access; use SFTP tunnel |
| CVE-2021-22275 | 9.8 (Critical) | Web Server | Buffer overflow in web server | Remote code execution via crafted HTTP request | Disable web server; place on isolated network; use firewall |
| SA25P002 (ICSA-26-125-03) | 7.5 (High) | ANSL Server | DoS via insufficient throttling (newly disclosed) | Network attacker can cause ANSL service denial | Isolate ANSL traffic; use network firewall rules |
| SA25P007 (ICSA-26-141-03) | 9.8 (Critical) | Automation Studio | 25 SQLite CVEs (heap overflow, out-of-bounds read, use-after-free, NULL pointer deref) in bundled SQLite library. Criticals: CVE-2025-3277 (heap buffer overflow CVSS 9.8), CVE-2025-6965 (numeric truncation CVSS 9.8), CVE-2019-8457 (OOB read CVSS 9.8). Exploitation requires opening a crafted project file | Code execution via malformed .apj/.ar files | Upgrade AS to 6.5; do not open untrusted project files |
| SA24P011 | Varies | Multiple | Several vulnerabilities (see B&R advisory PDF) | Varies by component | Apply AR 4.93.5.2 if not already installed |
11.3 CVEs Patched in Earlier AR 4.x Versions
These were addressed in intermediate AR 4.x patches. If you are running an AR version earlier than 4.93.5.2, these also affect your system.
| CVE | CVSS | Patched In AR | Component | Vulnerability |
|---|---|---|---|---|
| CVE-2020-28207 | 9.8 (Critical) | ~4.80 | OPC-UA Server | Remote code execution via crafted OPC-UA message |
| CVE-2020-28208 | 9.8 (Critical) | ~4.80 | OPC-UA Server | Heap overflow in OPC-UA binary message decoder |
| CVE-2020-28209 | 9.8 (Critical) | ~4.80 | OPC-UA Server | Integer overflow in OPC-UA message processing |
11.4 Risk Assessment for CP1584 on Production Networks
Given the unpatched vulnerabilities, the CP1584 on a production network presents the following risk profile:
| Attack Vector | Severity | Likelihood | Impact | Mitigation |
|---|---|---|---|---|
| FTP credential capture (CVE-2024-0323) | Critical | High (any network attacker) | Full CF card access including credentials, configuration, and program backups | Disable FTP service; use VPN if FTP must be used; enforce network segmentation |
| Web server RCE (CVE-2021-22275) | Critical | Medium (requires crafted request) | Full system compromise | Disable web server; place CPU on isolated control network; use PLC-side firewall |
| SDM session takeover (CVE-2025-3449) | Medium | Low (requires network access + active session) | Read diagnostic data; no write impact | Disable SDM; monitor SDM access logs; use only from trusted workstations |
| SDM XSS (CVE-2025-3448) | Medium | Low (requires user to click crafted link) | Browser session compromise | Educate operators; do not follow untrusted links to PLC IP |
| ANSL DoS (CVE-2025-11044, SA25P002) | High | Medium | Loss of AS connectivity; inability to download/upload; no program changes | AR 4.93.5.2 patches CVE-2025-11044; isolate ANSL traffic for SA25P002 |
| OPC-UA RCE (CVE-2020-28207/208/209) | Critical | Low (requires OPC-UA enabled + network access) | Full system compromise | AR 4.80+ patches these; ensure AR >= 4.80 if OPC-UA is used; use OPC-UA security policies |
11.5 Practical Security Hardening for Legacy AR 4.x CP1584
Since no more patches are coming for AR 4.x, implement these compensating controls:
Network Segmentation (Most Important)
┌─────────────────────────────┐
│ Plant Ethernet Switch │
│ (managed, VLAN-capable) │
└──────────┬──────────────────┘
│
┌──────────┴──────────────────┐
│ Firewall / ACL Rules: │
│ - Block all inbound to PLC │
│ - Allow only ANSL (30303/11169 UDP)
│ - Allow OPC-UA (4840) from SCADA only
│ - Block FTP (21) at switch │
│ - Block HTTP (80/443) at switch│
└──────────┬──────────────────┘
│
┌──────────┴──────────────────┐
│ CP1584 Control Network │
│ (isolated VLAN or physical │
│ network segment) │
└─────────────────────────────┘
Service Disabling Checklist
| Service | Port | Disable If | How to Disable |
|---|---|---|---|
| FTP Server | 21 | Not needed for operations | CPU > FTP settings > uncheck (requires AS project download) |
| Web Server / SDM | 80/443 | SDM not needed for operations | CPU > System diagnostics > uncheck (requires AS project download) |
| OPC-UA Server | 4840 | OPC-UA not used | CPU > OPC-UA settings > disable (requires AS project download) |
| ANSL Discovery | 30303, 11169 UDP | Only needed during AS development | CPU > Ethernet > disable ANSL (requires AS project download) |
| VNC Server | 5900 | VNC not configured | N/A (only active if configured in project) |
Important limitation: Disabling services requires modifying the Automation Studio project and re-downloading. If you have no AS project and no credentials, the services remain active. In that case, network-level blocking is your only option.
Firewall Rules for PLC Protection
## iptables example for Linux-based firewall protecting a CP1584
## Block all inbound to PLC except required services
iptables -A INPUT -s <PLC_IP> -j DROP
## Allow ANSL from Automation Studio workstation only
iptables -A INPUT -s <AS_WORKSTATION_IP> -d <PLC_IP> -p udp --dport 30303 -j ACCEPT
iptables -A INPUT -s <AS_WORKSTATION_IP> -d <PLC_IP> -p udp --dport 11169 -j ACCEPT
## Allow OPC-UA from SCADA server only (if used)
iptables -A INPUT -s <SCADA_IP> -d <PLC_IP> -p tcp --dport 4840 -j ACCEPT
## Block FTP at the network level (CVE-2024-0323 mitigation)
iptables -A INPUT -d <PLC_IP> -p tcp --dport 21 -j DROP
## Block web server at the network level (CVE-2021-22275 mitigation)
iptables -A INPUT -d <PLC_IP> -p tcp --dport 80 -j DROP
iptables -A INPUT -d <PLC_IP> -p tcp --dport 443 -j DROP
11.6 B&R Security Advisory Reference Links
| Advisory | Source | URL |
|---|---|---|
| SA25P003 (SDM session takeover, XSS, CSV injection) | ABB PSIRT / CISA | ICSA-26-141-04 |
| SA25P002 (SDM DoS) | ABB PSIRT | SA25P002 PDF |
| SA25P003 CSAF JSON | GitHub | cisagov/CSAF |
| CVE-2025-3450 | NVD | NVD |
| CVE-2025-3449 | NVD | NVD |
| CVE-2025-3448 | NVD | NVD |
| CVE-2025-11498 | NVD | NVD |
| CVE-2024-0323 | Tenable | Tenable OT Plugin 503274 |
| CVE-2021-22275 | B&R / NVD | Search NVD |
| ANSL DoS (ICSA-26-125-03) | CISA | ICSA-26-125-03 |
| B&R Cyber Security Advisories Portal | B&R | br-automation.com/cyber-security |
| Community Cyber Security FAQ | B&R Community | community.br-automation.com |
Cross-References
| Related Document | Content | Relevance |
|---|---|---|
| firmware.md | Firmware architecture, CF card boot, update mechanism | The companion document covering firmware internals and the boot process |
| cf-card-boot.md | CF card file layout, boot sequence, firmware partitions | Understanding where firmware files live on the CF card |
| bootloader-recovery.md | Recovery mode, unbrick procedures, TFTP firmware reload | What to do when a firmware update fails |
| ar-rtos.md | AR internals, CVE table, OS architecture | Understanding which CVEs are fixed in which AR version |
| cybersecurity-hardening.md | Security hardening, unpatchable CVEs, network isolation | Why firmware updates matter for security |
| cp1584-hardware-ref.md | CP1584 hardware specs, LED codes, DIP switches | Hardware identification for firmware compatibility checks |
| remanufacturing.md | Migration paths, hardware replacement, platform changes | When to upgrade firmware vs replace hardware |
| ftp-web-interface.md | FTP access to CF card, remote firmware backup | Using FTP to back up firmware before updating |
Sources: B&R AR Upgrade download page (br-automation.com), B&R SA25P003/ICSA-26-141-04, B&R SA25P002, B&R Lifecycle Policy, CISA ICS Advisories, NVD vulnerability database, B&R Community Forum