Firmware release notes 4.9.6

Release 4.9.6

Release name: "Castor" 4.9.6. Release date: February 25^th, 2026.

Applies to HMP400/W, iBX410/W, iBX440, HMP350, HMP300, DiVA, and third-party DSOS players.
Firmware version number: 4.9.6-1.0.0-bbf996fc

Updates from DSOS before 4.9.0 to 4.9.0 and later may loose the player configuration on players other than HMP350, HMP300 and DiVA if the player does not have a SYSTEMS license. One workaround is to add a SYSTEMS feature set after the update, without reconfiguring the player, and reboot; the player will automatically attempt to restore the configuration. Another workaround is to recover the pending configuration backup from the player report (the /var/cache/spxmanage/restore.cfg file), extract and edit the XML configuration file to remove the line with the underscan-supported statement and restore that amended file via Control Center.

The player now supports having multiple endpoints for the MQTT servers on the SpinetiX cloud, for redundancy. SpinetiX HUB and ARYA now leverages this on newly enrolled players to attempt connections over ports 8883 and 443, where previously it could only use port 8883. The player will now attempt connections over the endpoints in round-robin fashion until one succeeds, so players in networks where port 8883 is blocked may now be able to connect to MQTT over port 443. This allows players behind restrictive firewalls to have more reactive connectivity to SpinetiX HUB and ARYA.
The default firmware update source URL now uses HTTPS instead of plain HTTP, with a fallback to HTTP in case the HTTPS connection cannot be established (e.g., due to missing root CA certificates for SSL inspection, old firmware with an outdated root certificate database, etc.). Note that all firmware update data is signed and its signature verified before use, independently of the transport protocol, so updates over plain HTTP are always secure even if the plain HTTP protocol is not.
The recovery console is updated to version 2.28.0.

Applies to iBX410, iBX410W, iBX440, and third-party DSOS players.

Updated the UEFI Secure Boot forbidden signatures list (dbx) to version 2024-02-13 from UEFI and added the Microsoft 3rd party Option ROM CA 2023 certificate for maximum compatibility.

The player could crash and reboot when using a remote shared variable server and the server is unavailable.

Applies to all DSOS players, except for HMP350, HMP300, and DiVA.

Omit the guc_log_dump debug file from the sysfs section in the player reports, its data is large and confusing.

Updated base libraries and components; the main changes are as follows:

Applies to all DSOS players.

binutils: fixed CVE-2025-1181, CVE-2025-11839, CVE-2025-11840 and CVE-2025-11494, none of which affected DSOS.
gnupg: CVE-2025-68973, which affected DSOS.
curl: fixed CVE-2025-14017, CVE-2025-15079 and CVE-2025-15224, none of which affected DSOS.
glib-2.0: fixed CVE-2025-14512, which may affect DSOS, and CVE-2025-14087 and CVE-2025-13601, none of which affected DSOS.
util-linux: fixed CVE-2025-14104, which did not affect DSOS.
libsoup: fixed CVE-2025-12105, which affected DSOS.
net-snmp: fixed CVE-2025-68615, which did not affect DSOS.
php: updated to version 8.1.34 which fixes CVE-2025-14177, CVE-2025-14178 and CVE-2025-14180, which may have affected DSOS.

Applies to all DSOS players, except for HMP350, HMP300, and DiVA.

grub: fixed CVE-2025-61663 and CVE-2025-61664, which affected DSOS, and CVE-2025-61661 and CVE-2025-61662, none of which affected DSOS.