Private and Confidential

Revision Date Details

1.0 05/10/2012 Rev D Build 1 and Build 2 Image and Upgrade Release Notes

© 2012, Byres Security Inc

While this information is presented in good faith and believed to be accurate, Byres Security Inc.
disclaims the implied warranties of merchantability and fitness for a particular purpose and makes no
express warranties except as may be stated in its written agreement with and for its customers. In no
event is Byres Security Inc. liable to anyone for any indirect, special or consequential damages. The
information and specifications in this document are subject to change without notice.
Tofino™, Tofino™ Industrial Security Solution and Tofino™ Intrinsically Secure are trademarks of Byres
Security Inc. Other brand or product names are trademarks of their respective owners. While every
precaution has been taken in the preparation of this document, the publisher and the author assume no
responsibility for errors or omissions, or for damages resulting from the use of information contained in
this document or from the use of programs and source code that may accompany it. In no event shall the
publisher and the author be liable for any loss of profit or any other commercial damage caused or alleged
to have been caused directly or indirectly by this document.

This document contains confidential material and is submitted to the addressee and appropriate
staff at Honeywell Process Solutions and MTL Instruments only. It cannot be shown to or
forwarded to third parties without the written permission of Byres Security Inc.

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx ii
 Private and Confidential

1 Introduction ...................................................................................................................................1
2 USB Key Update Packages .........................................................................................................2
2.1 Rev B to Rev D/Build 1-Release ................................................................................................ 2
2.1.1 Purpose .............................................................................................................................. 2
2.1.2 Zip Archive ......................................................................................................................... 2
2.1.3 Impact ................................................................................................................................ 2
2.1.4 Procedure ........................................................................................................................... 2
2.2 Rev B or D/Build 1 to Rev B or D/Build 2 ................................................................................. 2
2.2.1 Purpose .............................................................................................................................. 2
2.2.2 Distribution ....................................................................................................................... 2
2.2.3 Zip Archive ......................................................................................................................... 2
2.2.4 Impact ................................................................................................................................ 3
2.2.5 Procedure ........................................................................................................................... 3
2.3 Rev B or D/Build 2 to Rev B or D/Build 1 ................................................................................. 3
2.3.1 Purpose .............................................................................................................................. 3
2.3.2 Zip Archive ......................................................................................................................... 3
2.3.3 Impact ................................................................................................................................ 3
2.3.4 Procedure ........................................................................................................................... 3
3 USB Key Procedures .....................................................................................................................4
3.1 Upgrade ( Revision B to Revision D Release) .......................................................................... 4
3.1.1 Setup of Equipment........................................................................................................... 4
3.1.2 Procedure ........................................................................................................................... 4
3.1.3 Confirmation ..................................................................................................................... 4
3.2 Configuration Updates (Rev B or D Build 1 to Build 2 or Vice-versa) ..................................... 5
3.2.1 Required Equipment ......................................................................................................... 5
3.2.2 Setup of Equipment........................................................................................................... 5
3.2.3 Procedure ........................................................................................................................... 5
3.2.4 Confirmation ..................................................................................................................... 5
4 Warnings ........................................................................................................................................7
5 Firmware Features ........................................................................................................................8
5.1 Firewall Filtering ........................................................................................................................ 8
5.2 Reporting .................................................................................................................................... 8
5.3 Diagnostics .................................................................................................................................. 8
5.4 Firmware Updating .................................................................................................................... 8
6 Enhancements ..............................................................................................................................9

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx iii
 Private and Confidential

7 Known Issues ...............................................................................................................................10

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx iv
 Private and Confidential

The following release notes describe the USB Key based upgrades available for Revision D of the
Honeywell Modbus TCP Firewall. Three separate USB Key Update Packages are provided in this release.
These are:

Rev B to Rev D/Build 1 Release Firmware Upgrade

Rev B or D/Build 1 to Rev B or D/Build 2 Configuration Update
Rev B or D/Build 2 to Rev B or D/Build 1 Configuration Update

Each is described in detail in the following sections.

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 1
 Private and Confidential

This update package will field upgrade any version of Honeywell Modbus TCP Firewall Revision B
firmware to the full release version of the Revision D/Build 1 firmware.
This update package is suitable for distribution to Honeywell Modbus TCP Firewall end-users, pending
testing and approval by Honeywell.

The USB key update archive for upgrading Honeywell Modbus TCP Firewall Revision B devices to
Revision D/Build 1 Release is called:
honeywell-modbus-tcp-revB-build1-to-revD-build1-upgrade.zip

The files in this zip archive should be unpacked and placed on a 2.0 USB key, capacity 1 gigabyte or
smaller.
The md5 hash for the image archive is:

936d7395d9804193737fb2df05ed95d8

This update package is a minor update. The update process will take less than 2 minutes and there is no
reboot involved. There will be a loss of network traffic during the upgrade process.
Once the update is applied, the Honeywell Modbus TCP Firewall device will be at Revision D Build 1.

See Section 3.1

This update package will set the network interface settings of the Honeywell Modbus TCP Firewall device
to 100Mbps full duplex with no auto negotiation. Both Revision B Build 1 and Revision D Build 1
firmware can be updated using this package.

This update package is suitable for distribution to Honeywell Modbus TCP Firewall end-users, pending
approval by Honeywell.

The USB key update archive for updating Honeywell Modbus TCP Firewall Revision B Build 1 or
Revision D Build 1 device configuration to Revision B Build 2 or Revision D Build 2 is called:

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 2
 Private and Confidential

honeywell-modbus-tcp-revBD-build1-to-revBD-build2-update-key.zip

The files in this zip archive should be unpacked and placed on a 2.0 USB key, capacity 1 gigabyte or
smaller.
The md5 hash for the image archive is:

c104e9c08ec8167227d121e205b68891

This update package involves a change in the network interface settings. The update process will take
approximately 25 seconds to complete. Since this configuration update involves network interface
settings, network traffic may be impacted for up to 1 second.
Once the update is applied, the Honeywell Modbus TCP Firewall device will be at Revision B or D Build 2.

See Section 3.2

This update package will set the network interface settings of the Honeywell Modbus TCP Firewall to
auto-negotiate. Both Revision B Build 2 and Revision D Build 2 firmware can be updated with this
package.

The USB key update archive for updating Honeywell Modbus TCP Firewall Revision B Build 2 or
Revision D Build 2 device configurations to Revision B Build 1 or Revision D Build 1 is called:
honeywell-modbus-tcp-revBD-build2-to-revBD-build1-update-key.zip

The files in this zip archive should be unpacked and placed on a 2.0 USB key, capacity 1 gigabyte or
smaller.
The md5 hash for the image archive is:
57e1206fdeb28b692249790348e6703c

This update package involves a change in the network interface settings. The update process will take
approximately 25 seconds to complete. Since this configuration update involves network interface
settings, network traffic may be impacted for up to 1 second.
Once the update is applied, the Honeywell Modbus TCP Firewall device will be at Revision B Build 1 or
Revision D Build 1.

See Section 3.2

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 3
 Private and Confidential

This procedure applies to upgrades from Revision B Build 1 to the Revision D Build 1 Release
version of the Honeywell Modbus TCP Firewall device.
This update is minor and will take less than 2 minutes. There will be a loss of network traffic during the
upgrade process.
Required Equipment
1) 1 Honeywell Modbus TCP Firewall with Revision B Build 1 firmware
2) 1 USB Key (Must be USB Version 2.0 and 1 gigabyte or less in size)
3) The update zip file (the files as described in sections 2.1)

Unpack the zip file and place the contents on the USB key.

1) Place the prepared USB key into a USB slot on the Honeywell Modbus TCP Firewall.
2) Press and hold down the button on the Honeywell Modbus TCP Firewall until the LEDs start
flashing in a marquee fashion upward from the USB ports (This takes approximately 6 to 8
seconds). Release the button once the flashing starts.
3) When the marquee display stops and the normal Honeywell Modbus TCP LED display (Mode
LED on solid and Power LED on solid) returns, the update is complete.

1) Place an empty USB key into a USB slot on the Honeywell Modbus TCP Firewall
2) Execute a USB Diagnostic Save by pressing and releasing the button on the device, for
approximately 2 seconds. The LEDs will start flashing in a marquee fashion downward towards
the USB port.
3) When the marquee display stops and the normal Honeywell Modbus TCP Firewall LED display
(Mode LED on solid and Power LED on solid) returns, the Diagnostic Save is complete.
4) Examine the resulting file (typically 00_00_xx_xx_xx_xx.diag) on the USB key using a standard
text editor such as WordPad. The resulting file should have a top section similar in format to the
following :
=============================================================================
Tofino ID: 00:00:11:8D:91:27
Firmware Base:
Tofino Linux: 1.3.0
Linux 00:00:11:8D:91:27 2.6.26.5 #11 Tue Feb 10 15:34:23 PST 2009 armv5teb unknown
Honeywell Version information:
Tofino Type: 0
Firmware Rev: 4.1
Hardware Rev: 1.0
=============================================================================
5) The Firmware Rev should indicate 4.1 as shown above. The Tofino Type should be 0 (zero), which
indicates a Honeywell Modbus TCP Firewall.

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 4
 Private and Confidential

This procedure applies to configuration changes to Revision B or Revision D versions of the Honeywell
Modbus TCP Firewall device in order to set the Ethernet interface to either Auto Negotiate or 100
Mbps/Full Duplex.
This configuration update package only involves a change in the network interface settings and will take
approximately 25 seconds to complete. Since this update involves network interface settings, network
traffic may be impacted for up to 1 second.

1) 1 Honeywell Modbus TCP Firewall with Revision B or Revision D Release firmware

2) 1 USB Key (USB Version 2.0 and 1 gigabyte or less in size)
3) The update zip file (one of the files as described in sections 2.2 – 2.3 )

Unpack the zip file and place the contents on the USB key.

1) Place the prepared USB key into a USB slot on the Honeywell Modbus TCP Firewall.
2) Press and hold down the button on the Honeywell Modbus TCP Firewall until the LEDs start
flashing in a marquee fashion upward from the USB port (This takes approximately 6 to 8
seconds). Release the button once the flashing starts.
3) When the marquee display stops and the normal Honeywell Modbus TCP Firewall LED display
(Mode LED on solid and Power LED on solid) returns, the update is complete.

1) Place an empty USB key into a USB slot on the Honeywell Modbus TCP Firewall.
2) Execute a USB Diagnostic Save by pressing and releasing the button on the device, for
approximately 2 seconds. The LEDs will start flashing in a marquee fashion downward towards
the USB port.
3) When the marquee display stops and the normal Honeywell Modbus TCP Firewall LED display
(Mode LED on solid and Power LED on solid) returns, the Diagnostic Save is complete.
4) Examine the resulting file (typically 00_00_xx_xx_xx_xx.diag) on the USB key using a standard
text editor such as WordPad. The resulting file should have a top section similar in format to the
following:
=============================================================================
Tofino ID: 00:00:11:8D:91:27
Firmware Base:
Tofino Linux: 1.3.0
Linux 00:00:11:8D:91:27 2.6.26.5 #11 Tue Feb 10 15:34:23 PST 2009 armv5teb unknown
Honeywell Version information:
Tofino Type: 0
Firmware Rev: 4.2
Hardware Rev: 1.0
=============================================================================

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 5
 Private and Confidential

5) The Firmware Revision should indicate 4.1 if Auto Negotiation is required or 4.2 if Full
Duplex/100 Mbps is required. Tofino Type should be 0 (zero), which indicates a Honeywell
Modbus TCP Firewall.

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 6
 Private and Confidential

1) Loss of power during the full upgrade process may cause corruption of the device and require it to
be returned to the factory. Do not cycle power to the device until all LEDs have stopped flashing.
The Revision B to Revision D update process will take approximately 2 minutes to complete.

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 7
 Private and Confidential

Following is a summary description of features implemented in this release. Please refer to the Honeywell
Modbus TCP Firewall User’s Guide for more detail on these features.

Permits the following network traffic:

Master-slave communications using Modbus/TCP on TCP port 502. Modbus/TCP
communications can only be initiated from the Experion (Secured) interface of the Honeywell
Modbus TCP Firewall, with replies from the Modbus device (Unsecured) interface.
The ARP protocol is rate limited to less than 0.5 Mbps in both directions.
Network Time Protocol (NTP) requests originating from NTP client devices on the Unsecured
interface to the Experion time server and associated NTP replies.
No other network traffic is permitted through the device

Honeywell GRE status reporting for all network interfaces.

Reporting frequency of 26 seconds.

Network interface diagnostics offload to USB storage key (unencrypted)

Secure USB key based firmware updates

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 8
 Private and Confidential

More details on these Enhancements may be found in the referenced tickets. This information is available
on request.
1.) Enhanced firewall ruleset to allow rate-limited (s)NTP traffic through the device.

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 9
 Private and Confidential

The following are known issues for this release:

1) Possible TCP Burst Throughput Issue (Ticket #980): Packets may be dropped in burst situations
– traffic is cut off at about 80 packets when sent in a burst of about 10 ms.

Honeywell Modbus TCP Firewall Rev D Partner Upgrade Release Notes v1.0.docx 10