qca-ssdk: adjust the amplitude level of SGMII for Zyxel NWA130BE

To fix EMI and avoid Ethernet RX stuck after reboot for Zyxel NWA130BE.
Ethernet Rx stuck was sometimes happened when we do stress reboot,
need to adjust the amplitude level of SGMII for CPU and QCA8385 side.
And those settings come from the result that Zyxel HW team and Manufacturer
co-work to fine tune for NWA130BE.

Signed-off-by: YenLin Pan <YenLin.Pan@zyxel.com.tw>

.github/workflows/build-dev.yml

@@ -21,7 +21,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        target: [ 'cig_wf189h', 'cig_wf189w', 'cig_wf672', 'cig_wf186h', 'cig_wf186w', 'cig_wf188n', 'cig_wf189', 'cig_wf196', 'cig_wf196', 'cybertan_eww631-a1', 'cybertan_eww631-b1', 'sonicfi_rap630w-312g', 'sonicfi_rap63xc-211g', 'sonicfi_rap630c-311g', 'sonicfi_rap630w-311g', 'sonicfi_rap630w-211g', 'sonicfi_rap650c', 'sonicfi_rap7110c-341x', 'sonicfi_rap750e-h', 'sonicfi_rap750e-s', 'sonicfi_rap750w-311a', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_eap105', 'edgecore_eap111', 'edgecore_eap112', 'edgecore_oap101', 'edgecore_oap101-6e', 'edgecore_oap101e', 'edgecore_oap101e-6e', 'edgecore_oap103', 'hfcl_ion4xe', 'hfcl_ion4xi', 'hfcl_ion4x', 'hfcl_ion4x_2', 'hfcl_ion4x_3', 'hfcl_ion4xi_w', 'hfcl_ion4x_w', 'indio_um-305ax', 'senao_iap4300m', 'senao_iap2300m', 'senao_jeap6500', 'udaya_a6-id2', 'udaya_a6-od2', 'yuncore_ax820', 'yuncore_ax840', 'yuncore_fap640', 'yuncore_fap650', 'yuncore_fap655', 'emplus_wap588m', 'zyxel_nwa130be', 'sercomm_ap72tip-v4' ]
+        target: [ 'cig_wf189h', 'cig_wf189w', 'cig_wf660a', 'cig_wf672', 'cig_wf186h', 'cig_wf186w', 'cig_wf188n', 'cig_wf189', 'cig_wf196', 'cig_wf196', 'cybertan_eww631-a1', 'cybertan_eww631-b1', 'sonicfi_rap630w-312g', 'sonicfi_rap63xc-211g', 'sonicfi_rap630c-311g', 'sonicfi_rap630w-311g', 'sonicfi_rap630w-211g', 'sonicfi_rap650c', 'sonicfi_rap7110c-341x', 'sonicfi_rap750e-h', 'sonicfi_rap750e-s', 'sonicfi_rap750w-311a', 'edgecore_eap101', 'edgecore_eap102', 'edgecore_eap104', 'edgecore_eap105', 'edgecore_eap111', 'edgecore_eap112', 'edgecore_oap101', 'edgecore_oap101-6e', 'edgecore_oap101e', 'edgecore_oap101e-6e', 'edgecore_oap103', 'hfcl_ion4xe', 'hfcl_ion4xi', 'hfcl_ion4x', 'hfcl_ion4x_2', 'hfcl_ion4x_3', 'hfcl_ion4xi_w', 'hfcl_ion4x_w', 'indio_um-305ax', 'senao_iap4300m', 'senao_iap2300m', 'senao_jeap6500', 'udaya_a6-id2', 'udaya_a6-od2', 'yuncore_ax820', 'yuncore_ax840', 'yuncore_fap640', 'yuncore_fap650', 'yuncore_fap655', 'emplus_wap588m', 'zyxel_nwa130be', 'sercomm_ap72tip-v4' ]
     steps:
     - uses: actions/checkout@v3
 

feeds/ipq807x_v5.4/hostapd/files/mpskd

@@ -144,7 +144,7 @@ function netifd_reload() {
 
 			push(ssid.interfaces, iface.ifname);
 			ssid.bands[band] = iface.ifname;
-			ssid.mpsk = config.multi_psk;
+			ssid.mpsk = ssid?.mpsk ? true : config.multi_psk;
 			for (let sta in iface.stations) {
 				let stacfg = sta.config;
 
@@ -308,18 +308,18 @@ function sta_auth_cache(ifname, addr, idx, phrase) {
 function auth_cb(msg) {
 	let data = msg.data;
 
-	if (!is_ssid_mpsk(data.iface))
-		return;
-
 	printf(`Event ${msg.type}: ${msg.data}\n`);
 	switch (msg.type) {
 	case 'sta_auth':
+		if (!is_ssid_mpsk(data.iface))
+			return;
+
 		return {
 			psk: sta_auth_psk(data.iface, data.sta),
 			force_psk: true,
 		};
 	case 'sta_connected':
-		if (data.psk_idx == null)
+		if (data.psk_idx == null || !is_ssid_mpsk(data.iface))
 			return;
 		return sta_auth_cache(data.iface, data.sta, data.psk_idx, data.psk);
 	case 'reload':

feeds/morse/netifd-morse/lib/netifd/wireless/morse.sh

@@ -832,6 +832,13 @@ morse_hostapd_add_bss(){
 	morse_override_hostapd_set_bss_options hostapd_cfg "$_phy" "$vif" || return 1
 	json_get_vars wds wds_bridge sae_pwe dtim_period max_listen_int start_disabled
 
+	local network_config network_values
+	json_get_values network_values network
+	network_config=$(echo "$network_values" | cut -d' ' -f1)
+
+	if [ "$wds" -gt 0 ] && [ -z "$wds_bridge" ]; then
+		wds_bridge="${network_config%%[0-9]*}"
+	fi
 
 	raw_block=
 	json_for_each_item morse_hostapd_add_raw raws

feeds/qca-wifi-7/cig-platform-pkg/cig-poe-judgment/Makefile

@@ -0,0 +1,25 @@
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=cig-poe-judgment
+PKG_RELEASE:=1
+PKG_LICENSE:=GPL-2.0
+
+include $(INCLUDE_DIR)/package.mk
+
+define KernelPackage/cig-poe-judgment
+  SUBMENU:=Other modules
+  TITLE:=CIG POE judgment
+  FILES:=$(PKG_BUILD_DIR)/cig_poe_judgment.ko
+  AUTOLOAD:=$(call AutoLoad,99,cig_poe_judgment)
+endef
+
+define KernelPackage/cig-poe-judgment/description
+  Find POE type
+endef
+
+define Build/Compile
+	$(KERNEL_MAKE) M="$(PKG_BUILD_DIR)" modules
+endef
+
+$(eval $(call KernelPackage,cig-poe-judgment))

feeds/qca-wifi-7/cig-platform-pkg/cig-poe-judgment/src/Makefile

@@ -0,0 +1 @@
+obj-m += cig_poe_judgment.o

feeds/qca-wifi-7/cig-platform-pkg/cig-poe-judgment/src/cig_poe_judgment.c

@@ -0,0 +1,252 @@
+#include <linux/module.h>
+#include <linux/device.h>
+#include <linux/proc_fs.h>
+#include <linux/kthread.h>
+#include <linux/of.h>
+#include <linux/of_address.h>
+#include <linux/irqreturn.h>
+#include <linux/of_gpio.h>
+#include <linux/err.h>
+#include <linux/types.h>
+#include <linux/interrupt.h>
+#include <linux/of_irq.h>
+#include <linux/of_platform.h>
+#include <asm/uaccess.h>
+
+#define GPIO_MAX 		8 
+#define INT_MODE_MASK 		0xf0
+#define DETECT_MODE1	 	0x3
+#define DETECT_MODE2	 	0x4
+
+enum POE_TYPE {
+	POE_TYPE_AT = 1,
+	POE_TYPE_AF,
+	POE_TYPE_BT,
+	POE_TYPE_DC,
+	POE_TYPE_MAX
+};
+
+struct poe_irq_data
+{
+	struct device *dev;
+	int irq;
+	struct tasklet_struct tasklet;
+	int poe_type;
+};
+
+static void  *poe_gpio_base;
+static void  *pse_gpio_base;
+struct poe_irq_data *data = NULL;
+u32 mode;
+
+static const struct of_device_id my_of_ids[] = {
+	{.compatible = "poe-judge"},
+	{},
+};
+
+MODULE_DEVICE_TABLE(of,my_of_ids);
+
+static int poe_info_proc_show(struct seq_file *m, void *v)
+{
+	const char *type_str = "invalid";
+
+	switch (data->poe_type) {
+		case POE_TYPE_AT: 
+			type_str = "AT"; 
+			break;
+		case POE_TYPE_AF: 
+			type_str = "AF"; 
+			break;
+		case POE_TYPE_BT: 
+			type_str = "BT"; 
+			break;
+		case POE_TYPE_DC: 
+			type_str = "DC"; 
+			break;
+	}
+
+	seq_printf(m, "%s\n", type_str);
+
+	return 0;
+}
+
+static void poe_tasklet_func(unsigned long data)
+{
+	struct poe_irq_data *irq_data = (struct poe_irq_data *)data;
+
+	writel(0x3, pse_gpio_base+4);
+	irq_data->poe_type = POE_TYPE_BT;
+
+	return;
+}
+
+static irqreturn_t gpio_key1_irq_handler(int irq, void *dev_id)
+{
+	struct poe_irq_data *data = (struct poe_irq_data *)dev_id;
+
+	disable_irq_nosync(data->irq);
+	tasklet_schedule(&data->tasklet);
+
+	return IRQ_HANDLED;
+}
+
+static int poe_info_proc_open(struct inode *inode, struct file *file)
+{
+	return single_open(file, poe_info_proc_show, NULL);
+}
+
+static const struct proc_ops poe_info_proc_fops = {
+	.proc_open = poe_info_proc_open,
+	.proc_read = seq_read,
+	.proc_lseek = seq_lseek,
+	.proc_release = single_release,
+};
+
+static int gpio_key_probe(struct platform_device *dev)
+{
+	int ret = 0;
+	int irq = (-1);
+	int val = 0;
+	int gpio_id = 0;
+	int gpio[GPIO_MAX] = {0}, gpio_val[GPIO_MAX] = {0};
+	int num;
+	char name[16];
+	struct device_node *np = dev->dev.of_node;
+
+	if (of_property_read_u32(np, "detect-mode", &mode)) {
+		pr_err("Failed to read detect mode\n");
+		return -EINVAL;
+	}
+
+	data = devm_kzalloc(&dev->dev, sizeof(struct poe_irq_data), GFP_KERNEL);
+	if (!data)
+	{
+		return -ENOMEM;
+	}
+
+	if (mode & INT_MODE_MASK) {
+		poe_gpio_base = ioremap(0x1017004, 8);
+		pse_gpio_base = ioremap(0x1026000, 8);
+
+		writel(0x2c1, pse_gpio_base);
+		writel(0x0, pse_gpio_base+4);
+
+
+		data->dev = &dev->dev;
+		dev_set_drvdata(&dev->dev, data);
+
+		gpio_id = of_get_named_gpio(dev->dev.of_node, "detect_gpio", 0);
+		if (gpio_id < 0)
+		{
+			return -EINVAL;
+		}
+
+		tasklet_init(&data->tasklet, poe_tasklet_func, (unsigned long)data);
+
+		ret = devm_gpio_request_one(&dev->dev, gpio_id, GPIOF_IN, "poe_judge");
+		if(ret)
+		{
+			pr_err("GPIO23 request failed, ret:%d\n", ret);
+			return ret;
+		}
+
+		val = readl(poe_gpio_base);
+		if(val == 1)
+		{
+			pr_info("poe type is af or bt,close pse first\n");
+			data->poe_type = POE_TYPE_AF;
+		}
+		else
+		{
+			data->poe_type = POE_TYPE_AT;
+		}
+
+		irq = gpio_to_irq(gpio_id);
+		data->irq = irq;
+
+		ret = devm_request_any_context_irq(&dev->dev, data->irq, 
+				gpio_key1_irq_handler, 
+				IRQF_TRIGGER_FALLING, 
+				"poe_judge", data);
+		if (ret)
+		{
+			pr_err("Request irq fail %d\n", ret);
+			return ret;
+		}
+	} else {
+		if (mode == DETECT_MODE1 || mode == DETECT_MODE2) {
+			num = 3;
+		} else {
+			pr_err("Wrong poe detect mode\n");
+			return -ENOMEM;
+		}
+
+		for (int i = 0; i < num; i++) {
+			sprintf(name, "detect-gpio%d", i+1);
+			gpio[i] = of_get_named_gpio(np, name, 0); 	
+			ret = gpio_request(gpio[i], name);
+			if (ret) {
+				pr_err("Can not request gpio %d\n", i+1);
+				return ret;
+			}
+			gpio_direction_input(gpio[i]);
+			gpio_val[i] = gpio_get_value_cansleep(gpio[i]);
+		}
+		
+		if (mode == DETECT_MODE1){
+			if (gpio_val[0] > 0) {
+				data->poe_type = POE_TYPE_DC;
+			} else if (gpio_val[1] > 0){
+				if (gpio_val[2] == 0) {
+					data->poe_type = POE_TYPE_AT;
+				} else {
+					data->poe_type = POE_TYPE_AF;
+				}
+			}
+		}else if (mode == DETECT_MODE2){
+			switch (gpio_val[0] | (gpio_val[1] << 1) | (gpio_val[2] << 2)) {
+				case 3:
+					data->poe_type = POE_TYPE_AT;
+					break;
+				case 4:
+					data->poe_type = POE_TYPE_BT;
+					break;
+				case 7:
+					data->poe_type = POE_TYPE_AF;
+					break;
+			}
+		}
+
+	}
+
+	if (!proc_create("poe_info", 0444, NULL, &poe_info_proc_fops)) {
+		pr_err("Failed to create proc entry for poe_info\n");
+		return -ENOMEM;
+	}
+
+	return ret;
+}
+
+static int gpio_key_remove(struct platform_device *dev)
+{
+	remove_proc_entry("poe_info", NULL);
+
+	return 0;
+}
+
+static struct platform_driver poe_judge_driver =
+{
+	.driver = {
+		.name = "poe_judge",
+		.of_match_table = my_of_ids,
+		.owner = THIS_MODULE,
+	},
+	.probe = gpio_key_probe,
+	.remove = gpio_key_remove,
+};
+
+module_platform_driver(poe_judge_driver);
+
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Poe type judgment driver");
+MODULE_AUTHOR("huangyunxiang<huangyunxiang@cigtech.com>");

feeds/qca-wifi-7/hostapd/files/hostapd.sh

@@ -777,11 +777,16 @@ hostapd_set_bss_options() {
 			set_default sae_require_mfp 1
 			[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
 		;;
-		psk-sae|psk2-radius|eap-eap2)
+		psk-sae|eap-eap2)
 			set_default ieee80211w 1
 			set_default sae_require_mfp 1
 			[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
 		;;
+                psk2-radius)
+			set_default ieee80211w 1
+			set_default sae_require_mfp 0
+			[ "$ppsk" -eq 0 ] && set_default sae_pwe 4
+                ;;
 	esac
 	[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
 	[ -n "$sae_pwe" ] && append bss_conf "sae_pwe=$sae_pwe" "$N"

feeds/qca-wifi-7/hostapd/files/mpskd

@@ -144,7 +144,7 @@ function netifd_reload() {
 
 			push(ssid.interfaces, iface.ifname);
 			ssid.bands[band] = iface.ifname;
-			ssid.mpsk = config.multi_psk;
+			ssid.mpsk = ssid?.mpsk ? true : config.multi_psk;
 			for (let sta in iface.stations) {
 				let stacfg = sta.config;
 
@@ -308,18 +308,18 @@ function sta_auth_cache(ifname, addr, idx, phrase) {
 function auth_cb(msg) {
 	let data = msg.data;
 
-	if (!is_ssid_mpsk(data.iface))
-		return;
-
 	printf(`Event ${msg.type}: ${msg.data}\n`);
 	switch (msg.type) {
 	case 'sta_auth':
+		if (!is_ssid_mpsk(data.iface))
+			return;
+
 		return {
 			psk: sta_auth_psk(data.iface, data.sta),
 			force_psk: true,
 		};
 	case 'sta_connected':
-		if (data.psk_idx == null)
+		if (data.psk_idx == null || !is_ssid_mpsk(data.iface))
 			return;
 		return sta_auth_cache(data.iface, data.sta, data.psk_idx, data.psk);
 	case 'reload':

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-cig-wf189.dts

@@ -236,6 +236,15 @@
 			};
 		};
 
+		poe {
+			compatible = "poe-judge";
+			detect-mode = <0x3>;
+			detect-gpio1 = <&tlmm 25 GPIO_ACTIVE_HIGH>;
+			detect-gpio2 = <&tlmm 43 GPIO_ACTIVE_HIGH>;
+			detect-gpio3 = <&tlmm 29 GPIO_ACTIVE_HIGH>;
+			status = "ok";
+                };
+
 		wsi: wsi {
 			id = <0>;
 			num_chip = <2>;

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-cig-wf189h.dts

@@ -298,6 +298,13 @@
 			};
 		};
 
+		poe {
+                        compatible = "poe-judge";
+			detect-mode = <0x11>;
+                        detect_gpio = <&tlmm 0x17 0>;
+                        status = "ok";
+                };
+
 		ess-instance {
 			num_devices = <0x2>;
 

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-cig-wf189w.dts

@@ -298,6 +298,13 @@
 			};
 		};
 
+		poe {
+                        compatible = "poe-judge";
+			detect-mode = <0x11>;
+                        detect_gpio = <&tlmm 0x17 0>;
+                        status = "ok";
+                };
+
 		ess-instance {
 			num_devices = <0x2>;
 

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-cig-wf672.dts

@@ -234,6 +234,15 @@
 			};
 		};
 
+		poe {
+			compatible = "poe-judge";
+			detect-mode = <0x4>;
+			detect-gpio1 = <&extgpio 0 0>;
+			detect-gpio2 = <&extgpio 1 0>;
+			detect-gpio3 = <&extgpio 2 0>;
+			status = "ok";
+                };
+
 		wsi: wsi {
 			id = <0>;
 			num_chip = <2>;
@@ -538,7 +547,6 @@
 	pinctrl-0 = <&pwm_pins>;
 	pinctrl-names = "default";
 	dft-pwm-status = <0>, <0>, <1>, <0>;
-        poe_type_pin = <&extgpio 0 0 &extgpio 1 0 &extgpio 2 0>;
 	status = "okay";
 };
 

feeds/qca-wifi-7/qca-ssdk-qca/Makefile

@@ -100,6 +100,7 @@ endif
 ifdef CONFIG_TARGET_PROFILE
 TARGET_PROFILE=$(subst ",,$(CONFIG_TARGET_PROFILE))
 PATCH_PROFILE_NAME=patches-$(subst DEVICE_,,$(TARGET_PROFILE))
+FILES_PROFILE_NAME=files-$(subst DEVICE_,,$(TARGET_PROFILE))
 endif
 
 QCASSDK_CONFIG_OPTS+= TOOL_PATH=$(TOOLCHAIN_BIN_PATH) \
@@ -202,6 +203,15 @@ define patch_profile
 	$(call PatchDir/Default,$(PKG_BUILD_DIR),./$(PATCH_PROFILE_NAME))
 endef
 
+define files_profile
+
+	if [ -d "./$(FILES_PROFILE_NAME)" ]; then \
+		$(CP) ./$(FILES_PROFILE_NAME)/* ./files/ ; \
+	fi
+endef
+
 Hooks/Prepare/Post += patch_profile
+Hooks/Prepare/Post += files_profile
+
 $(eval $(call KernelPackage,qca-ssdk-qca-nohnat))
 $(eval $(call KernelPackage,qca-ssdk-qca-hnat))

feeds/qca-wifi-7/qca-ssdk-qca/files-zyxel_nwa130be/qca-ssdk

@@ -0,0 +1,317 @@
+#!/bin/sh /etc/rc.common
+# Copyright (c) 2018, 2021, The Linux Foundation. All rights reserved.
+# Copyright (c) 2022-2024, Qualcomm Innovation Center, Inc. All rights reserved.
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+#
+
+START=16
+
+#!/bin/sh
+ruletype="ip4 ip6"
+side="wan lan"
+qwan="1 3 2 0 5 7 6 4"
+qlan="0 1 2 3 4 5 6 7"
+
+function create_war_acl_rules(){
+	for lw in $side
+	do
+		#echo $lw
+		if [ "$lw" == "wan" ];then
+			listid=254
+			queue=$qwan
+			portmap=0x20
+		else
+			listid=255
+			queue=$qlan
+			portmap=0x1e
+		fi
+		#echo $queue
+		#echo "creating list $listid"
+		ssdk_sh acl list create $listid 255
+		ruleid=0
+		for rt in $ruletype
+		do
+			for qid in $queue
+			do
+				cmd="ssdk_sh acl rule add $listid $ruleid  1 n 0 0"
+				#echo $cmd
+				if [ "$rt" == "ip4" ];then
+					cmd="$cmd ip4 n n n n n n n n n n n n n n n n n n n n n n n n n n n n n"
+					#echo $cmd
+				else
+					cmd="$cmd ip6 n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n n"
+					#echo $cmd
+				fi
+				if [ $ruleid -le 3 ];then
+					#non-zero dscp
+					cmd="$cmd y 0x0 0xff"
+				elif [ $ruleid -le 7 ];then
+					#zero dscp
+					cmd="$cmd n"
+				elif [ $ruleid -le 11 ];then
+					#non-zero dscp
+					cmd="$cmd y 0x0 0xff"
+				else
+					#zero dscp
+					cmd="$cmd n"
+				fi
+				p=$((ruleid/2))
+				cmd="$cmd y mask $((ruleid%2)) 0x1 y mask $((p%2)) 0x1 n n n n n n n n n n n n n n n y n n n n n n n y $qid n n 0 0 n n n n n n n n n n n n n n n n n n n n 0"
+				#echo $cmd
+				$cmd
+				ruleid=`expr $ruleid + 1`
+			done
+		done
+		ssdk_sh acl list bind $listid 0 1 $portmap
+	done
+}
+
+function create_war_cosmap(){
+	ssdk_sh cosmap pri2q set 0 0
+	ssdk_sh cosmap pri2q set 1 0
+	ssdk_sh cosmap pri2q set 2 0
+	ssdk_sh cosmap pri2q set 3 0
+	ssdk_sh cosmap pri2q set 4 1
+	ssdk_sh cosmap pri2q set 5 1
+	ssdk_sh cosmap pri2q set 6 1
+	ssdk_sh cosmap pri2q set 7 1
+	ssdk_sh cosmap pri2ehq set 0 0
+	ssdk_sh cosmap pri2ehq set 1 0
+	ssdk_sh cosmap pri2ehq set 2 0
+	ssdk_sh cosmap pri2ehq set 3 0
+	ssdk_sh cosmap pri2ehq set 4 1
+	ssdk_sh cosmap pri2ehq set 5 1
+	ssdk_sh cosmap pri2ehq set 6 1
+	ssdk_sh cosmap pri2ehq set 7 1
+}
+
+function create_acl_byp_egstp_rules(){
+	chip_ver=$1
+	cmd="ssdk_sh servcode config set 1 n 0 0xfffefc7f 0xffbdff 0 0 0 0 0 0"
+	if [ "$chip_ver" == "0x2000" ] || [ "$chip_ver" = "0x2001" ] || [ "$chip_ver" = "0x2100" ]; then
+		cmd="$cmd 0"
+	fi
+	#echo $cmd
+	$cmd
+
+	ssdk_sh acl list create 56 48
+	#action bypass eg stp check
+	action="y n n n n n n n n n n 0 0 n n n n n n n n n n n n n y n n n n n n n n n n n n y n n n n n n n n n n n n n n n n n n"
+	if [ "$chip_ver" == "0x2000" ]; then
+		action="$action n n 0"
+	elif [ "$chip_ver" = "0x2001" ] || [ "$chip_ver" = "0x2100" ]; then
+		action="$action n n n 0"
+	else
+		action="$action 0"
+	fi
+
+	for ruleid in $( seq 0 2 )
+	do
+		if [ "$ruleid" == "0" ];then
+			cmd="ssdk_sh acl rule add 56 0 1 n 0 0 mac n n n n n y 01-80-c2-00-00-00 ff-ff-ff-ff-ff-ff n n n n n n n n n n n n n n n n n n n n n n n"
+		elif [ "$ruleid" == "1" ];then
+			cmd="ssdk_sh acl rule add 56 1 1 n 0 0 mac n n n n n n n yes 0x8809 0xffff n n n n n n n n n n n n n n n n n n n n n"
+		else
+			cmd="ssdk_sh acl rule add 56 2 1 n 0 0 mac n n n n n n n yes 0x888e 0xffff n n n n n n n n n n n n n n n n n n n n n"
+		fi
+		if [ "$chip_ver" == "0x2000" ] || [ "$chip_ver" = "0x2001" ] || [ "$chip_ver" = "0x2100" ]; then
+			cmd="$cmd n $action"
+		else
+			cmd="$cmd $action"
+		fi
+		#echo $cmd
+		$cmd
+	done
+	ssdk_sh acl list bind 56 0 2 1
+}
+
+function delete_war_acl_rules(){
+	for lw in $side
+	do
+		#echo $lw
+		if [ "$lw" == "wan" ];then
+			listid=254
+			queue=$qwan
+			portmap=0x20
+		else
+			listid=255
+			queue=$qlan
+			portmap=0x1e
+		fi
+		ssdk_sh acl list unbind $listid 0 1 $portmap
+		for rt in $ruletype
+		do
+			for qid in $queue
+			do
+				cmd="ssdk_sh acl rule del $listid 0 1"
+				echo $cmd
+				$cmd
+			done
+		done
+		#echo "deleting list $listid"
+		ssdk_sh acl list destroy $listid
+	done
+}
+
+function delete_war_cosmap(){
+	ssdk_sh cosmap pri2q set 0 0
+	ssdk_sh cosmap pri2q set 1 0
+	ssdk_sh cosmap pri2q set 2 1
+	ssdk_sh cosmap pri2q set 3 1
+	ssdk_sh cosmap pri2q set 4 2
+	ssdk_sh cosmap pri2q set 5 2
+	ssdk_sh cosmap pri2q set 6 3
+	ssdk_sh cosmap pri2q set 7 3
+	ssdk_sh cosmap pri2ehq set 0 1
+	ssdk_sh cosmap pri2ehq set 1 0
+	ssdk_sh cosmap pri2ehq set 2 2
+	ssdk_sh cosmap pri2ehq set 3 2
+	ssdk_sh cosmap pri2ehq set 4 3
+	ssdk_sh cosmap pri2ehq set 5 3
+	ssdk_sh cosmap pri2ehq set 6 4
+	ssdk_sh cosmap pri2ehq set 7 5
+}
+
+function delete_acl_byp_egstp_rules(){
+	chip_ver=$1
+	cmd="ssdk_sh servcode config set 1 n 0 0xfffefcff 0xffbfff 0 0 0 0 0 0"
+	if [ "$chip_ver" == "0x2000" ] || [ "$chip_ver" = "0x2001" ] || [ "$chip_ver" = "0x2100" ]; then
+		cmd="$cmd 0"
+	fi
+	#echo $cmd
+	$cmd
+	ssdk_sh acl list unbind 56 0 2 1
+	ssdk_sh acl rule del 56 0 1
+	ssdk_sh acl rule del 56 1 1
+	ssdk_sh acl rule del 56 2 1
+	ssdk_sh acl list destroy 56
+}
+
+function edma_war_config_add(){
+	create_war_cosmap
+	ssdk_sh acl status set enable
+	create_war_acl_rules
+}
+
+function edma_war_config_del(){
+	delete_war_acl_rules
+	delete_war_cosmap
+}
+
+function ipq50xx_serdes_monitor () {
+	#if qca808x phy exist, need to monitor the serdes to avoid the effect for WIFI
+	port_id=2
+	old_linkstatus="DISABLE"
+	phy_id_info=`ssdk_sh port phyid get $port_id | grep Org | awk -F '!' '{print $2}'`
+	if [ "$phy_id_info" = "[Org ID]:0x004d[Rev ID]:0xd101" ]; then
+		ssdk_sh debug phy set 29 0xb 0x300d
+		ssdk_sh debug uniphy set 0 0x7ac 0x300d 4
+
+		while true
+		do
+			cur_linkstatus=`ssdk_sh port linkstatus get $port_id | grep Status | awk -F ':' '{print $2}'`
+			#when qca808x phy link status is from down to up, serdes tx would be enabled
+			if [ "$cur_linkstatus" = "ENABLE" ] && [ "$old_linkstatus" = "DISABLE" ]; then
+				ssdk_sh debug phy set 29 0xb 0xb00d
+				ssdk_sh debug uniphy set 0 0x7ac 0xb00d 4
+			fi
+			#when qca808x phy link status is from up to down, serdes tx would be disabled
+			if [ "$cur_linkstatus" = "DISABLE" ] && [ "$old_linkstatus" = "ENABLE" ]; then
+				ssdk_sh debug phy set 29 0xb 0x300d
+				ssdk_sh debug uniphy set 0 0x7ac 0x300d 4
+			fi
+			old_linkstatus=$cur_linkstatus
+		done
+	fi
+}
+
+function ipq53xx_phy_amplitude_set () {
+	#for qca808x phy sgmii, set half amplitude with src_half_swing register
+	port_id=2
+	phy_id_info=`ssdk_sh port phyid get $port_id | grep Org | awk -F '!' '{print $2}'`
+	if [ "$phy_id_info" = "[Org ID]:0x004d[Rev ID]:0xd180" ]; then
+		ssdk_sh debug phy set 5 0x40010087 0x208a
+		ssdk_sh debug phy set 6 0x40010087 0x208a
+		#Set the Reg0x67 bits[7:5]=3’b000 and bit4=1’b1
+		ampl_val=$(eval "ssdk_sh debug phy get 5 0x40010067 | grep SSDK | grep -oE '0x[0-9a-fA-F]+' | sed 's/\(0x..\)./\11/'")
+		ssdk_sh debug phy set 5 0x40010067 $ampl_val
+		ampl_val=$(eval "ssdk_sh debug phy get 6 0x40010067 | grep SSDK | grep -oE '0x[0-9a-fA-F]+' | sed 's/\(0x..\)./\11/'")
+		ssdk_sh debug phy set 6 0x40010067 $ampl_val
+	fi
+}
+
+function ipq53xx_uniphy_amplitude_set () {
+	#for ipq50xx sgmii, set half amplitude with tx_emp_lvl/margin_index and tx_margin
+	ssdk_sh debug uniphy set 0 0x7ac 0xb10d 4
+	ssdk_sh debug uniphy set 0 0x24 0 4
+	ssdk_sh debug uniphy set 1 0x7ac 0xb10d 4
+	ssdk_sh debug uniphy set 1 0x24 0 4
+}
+
+ssdk_dependency() {
+	counter=0
+	[ -e /lib/modules/$(uname -r)/qca-ssdk.ko ] && [ ! -d /sys/module/qca_ssdk ] && {
+		insmod qca-ssdk.ko
+	}
+	while [ ! -d /sys/ssdk ] && [ "$counter" -le 5 ]
+	do
+		sleep 1
+		counter=$((counter+1))
+	done
+}
+
+start() {
+	ssdk_dependency
+	chip_ver=`ssdk_sh debug reg get 0 4 | grep Data | tr -d 'SSDK Init OK![Data]:'`
+	#The following commands should be uncommented to enable EDMA WAR
+	if [ "$chip_ver" = "0x1401" ]; then
+		#edma_war_config_add
+		echo ''
+	fi
+	#The following commands should be uncommented to add acl egress stp bypass rules
+	if [ "$chip_ver" = "0x1500" ] || [ "$chip_ver" = "0x1501" ] || [ "$chip_ver" = "0x2000" ] || [ "$chip_ver" = "0x2001" ] || [ "$chip_ver" = "0x2100" ]; then
+		#create_acl_byp_egstp_rules $chip_ver
+		echo ''
+	fi
+	#The following commands should be uncommented to enable WAR for ipq50xx
+	chip_type_info=`cat tmp/sysinfo/model`
+	result=$(echo $chip_type_info | grep "IPQ5018")
+	if [ "$result" != "" ]; then
+		#ipq50xx_serdes_monitor &
+		#ipq50xx_uniphy_amplitude_set
+		#ipq50xx_phy_amplitude_set
+		echo ''
+	fi
+	if [ "$chip_ver" = "0x2001" ]; then
+		ipq53xx_uniphy_amplitude_set
+		ipq53xx_phy_amplitude_set
+		echo ''
+	fi
+	echo starting
+}
+
+stop() {
+	chip_ver=`ssdk_sh debug reg get 0 4 | grep Data | tr -d 'SSDK Init OK![Data]:'`
+	#The following commands should be uncommented to disable EDMA WAR
+	if [ "$chip_ver" = "0x1401" ]; then
+		#edma_war_config_del
+		echo ''
+	fi
+	#The following commands should be uncommented to delete acl egress stp bypass rules
+	if [ "$chip_ver" = "0x1500" ] || [ "$chip_ver" = "0x1501" ] || [ "$chip_ver" = "0x2000" ] || [ "$chip_ver" = "0x2001" ] || [ "$chip_ver" = "0x2100" ]; then
+		#delete_acl_byp_egstp_rules $chip_ver
+		echo ''
+	fi
+	echo stoping
+}

feeds/tip/certificates/files/etc/init.d/early_boot

@@ -5,12 +5,10 @@ START=09
 copy_certificates() {
 	[ -f /certificates/key.pem ] || return
 
-	cp /certificates/*.pem /etc/ucentral/
-	chown root.network /etc/ucentral/*.pem
-	chmod 0440 root.network /etc/ucentral/*.pem
+	cp /certificates/cert.pem /certificates/key.pem /certificates/operational.* /etc/ucentral/
+	chown root.network /etc/ucentral/*.pem /etc/ucentral/*.ca
+	chmod 0440 root.network /etc/ucentral/*.pem /etc/ucentral/*.ca
 	[ -f /certificates/gateway.json ] && cp /certificates/gateway.json /etc/ucentral/gateway.flash
-	[ -f /certificates/dev-id ] && cp /certificates/dev-id /etc/ucentral/
-	[ -f /etc/ucentral/dev-id ] && chmod 0400 /etc/ucentral/dev-id
 	[ -f /certificates/restrictions.json ] && cp /certificates/restrictions.json /etc/ucentral/
 	[ -f /certificates/sign_pubkey.pem ] && cp /certificates/sign_pubkey.pem /etc/ucentral/
 	country=`cat /certificates/ucentral.defaults | jsonfilter -e '@.country'`

feeds/tip/certificates/files/etc/uci-defaults/99-tip-certificates.sh

@@ -2,5 +2,5 @@
 
 uci add system certificates
 uci set system.@certificates[-1].key=/etc/ucentral/key.pem
-uci set system.@certificates[-1].cert=/etc/ucentral/cert.pem
-uci set system.@certificates[-1].ca=/etc/ucentral/cas.pem
+uci set system.@certificates[-1].cert=/etc/ucentral/operational.pem
+uci set system.@certificates[-1].ca=/etc/ucentral/operational.ca

feeds/tip/certificates/files/usr/bin/mount_certs

@@ -1,25 +1,22 @@
 #!/bin/sh
 
 check_certificates() {
-	[ -f /certificates/cas.pem -a -f /certificates/cert.pem -a -f /certificates/key.pem ] && exit 0
+	[ -f /certificates/cert.pem -a -f /certificates/key.pem ] && exit 0
 }
 
 check_certificates
 
+bootconfig_lookup() {
+	case "$(fw_printenv -n cert_part)" in
+	0)	echo "0:BOOTCONFIG"
+		;;
+	1)	echo "0:BOOTCONFIG1"
+		;;
+	esac
+}
+
 . /lib/functions.sh
 mkdir -p /certificates /etc/ucentral/
-mtd=$(find_mtd_index certificates)
-
-if [ "$(head -c 4 /dev/mtd$mtd)" == "hsqs" ]; then
-	mount -t squashfs /dev/mtdblock$mtd /certificates
-else
-	[ -n "$mtd" -a -f /sys/class/mtd/mtd$mtd/oobsize ] && ubiattach -p /dev/mtd$mtd
-	if [ -n "$(ubinfo -a | grep certificates)" ]; then
-		[ -e /dev/ubi0 ] && mount -t ubifs ubi0:certificates /certificates
-		[ -e /dev/ubi1 ] && mount -t ubifs ubi1:certificates /certificates
-	fi
-fi
-
 case "$(board_name)" in
 cig,wf660a)
 	mmc_dev=$(echo $(find_mmc_part "0:ETHPHYFW") | sed 's/^.\{5\}//')
@@ -31,8 +28,28 @@ cig,wf672)
 	;;
 sonicfi,rap7110c-341x)
 	mmc_dev=$(echo $(find_mmc_part "certificates") | sed 's/^.\{5\}//')
-	[ -n "$mmc_dev" ] && mount -t squashfs /dev/$mmc_dev /certificates
+	[ -n "$mmc_dev" ] && mount -t squashfs /dev/$mmc_dev /mnt
+	bootconfig=$(bootconfig_lookup)
+	if [ -n "$bootconfig" ]; then
+		mmc_dev=$(echo $(find_mmc_part "$bootconfig") | sed 's/^.\{5\}//')
+		[ -n "$mmc_dev" ] && tar xf /dev/$mmc_dev -C /certificates
+	else
+		cp /mnt/* /certificates/
+		umount /mnt
+	fi
 	;;
+*)
+	mtd=$(find_mtd_index certificates)
+
+	if [ "$(head -c 4 /dev/mtd$mtd)" == "hsqs" ]; then
+		mount -t squashfs /dev/mtdblock$mtd /certificates
+	else
+		[ -n "$mtd" -a -f /sys/class/mtd/mtd$mtd/oobsize ] && ubiattach -p /dev/mtd$mtd
+		if [ -n "$(ubinfo -a | grep certificates)" ]; then
+			[ -e /dev/ubi0 ] && mount -t ubifs ubi0:certificates /certificates
+			[ -e /dev/ubi1 ] && mount -t ubifs ubi1:certificates /certificates
+		fi
+	fi
 esac
 
 check_certificates

feeds/tip/certificates/files/usr/bin/store_certs

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+bootconfig_lookup() {
+	bootconfig="$(fw_printenv -n cert_part)"
+	case "$(fw_printenv -n cert_part)" in
+	0)	echo "0:BOOTCONFIG1"
+		bootconfig=1
+		;;
+	*)	echo "0:BOOTCONFIG"
+		bootconfig=0
+		;;
+	esac
+	fw_setenv cert_part $bootconfig
+}
+
+. /lib/functions.sh
+case "$(board_name)" in
+sonicfi,rap7110c-341x)
+	cd /certificates
+	tar cf /tmp/certs.tar
+	bootconfig=$(bootconfig_lookup)
+	mmc_dev=$(echo $(find_mmc_part $bootconfig) | sed 's/^.\{5\}//')
+	dd if=/tmp/certs.tar of=/dev/$bootconfig
+	;;
+esac

feeds/tip/cloud_discovery/Makefile

@@ -12,6 +12,7 @@ define Package/cloud_discovery
   SECTION:=ucentral
   CATEGORY:=uCentral
   TITLE:=TIP cloud_discovery
+  DEPENDS:=+certificates
 endef
 
 Build/Compile=

feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover

@@ -22,13 +22,6 @@ start_service() {
 	[ "$valid" == "true" ] || 
 		/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.cfg.0000000001 > /dev/null
 
-	[ "$(fw_printenv -n pki2)" -eq 1 ] || {
-		/etc/init.d/cloud_discover disable
-		return
-	}
-
-	/etc/init.d/firstcontact disable
-
 	procd_open_instance
 	procd_set_param command "$PROG"
 	procd_set_param respawn

feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery

@@ -80,7 +80,7 @@ function gateway_write(data) {
 	gateway ??= {};
 	let new = {};
 	let changed = false;
-	for (let key in [ 'server', 'port', 'valid' ]) {
+	for (let key in [ 'server', 'port', 'valid', 'hostname_validate' ]) {
 		if (exists(data, key))
 			new[key] = data[key];
 		else if (exists(gateway, key))
@@ -144,7 +144,7 @@ function set_state(set) {
 function discover_dhcp() {
 	let dhcp = readjsonfile('/tmp/cloud.json');
 	if (dhcp?.dhcp_server && dhcp?.dhcp_port) {
-		if (gateway_write({ server: dhcp.dhcp_server, port:dhcp.dhcp_port, valid: false })) {
+		if (gateway_write({ server: dhcp.dhcp_server, port:dhcp.dhcp_port, valid: false, hostname_validate: dhcp.no_validation ? 0 : 1 })) {
 			ulog(LOG_INFO, `Discovered cloud via DHCP ${dhcp.dhcp_server}:${dhcp.dhcp_port}\n`);
 			client_start();
 			set_state(VALIDATING);
@@ -160,27 +160,30 @@ function redirector_lookup() {
 	let serial = uci.get('system', '@system[-1]', 'mac');
 
 	fs.unlink(path);
-	system(`curl -k --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/cas.pem https://openlan.keys.tip.build/v1/devices/${serial} --output /tmp/ucentral.redirector`);
+	system(`curl -k --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/operational.ca https://openlan.keys.tip.build/v1/devices/${serial} --output /tmp/ucentral.redirector`);
 	if (!fs.stat(path))
 		return;
 	let redir = readjsonfile(path);
 	if (redir?.controller_endpoint) {
 		let controller_endpoint = split(redir.controller_endpoint, ':');
-		if (gateway_write({ server: controller_endpoint[0], port: controller_endpoint[1] || 15002, valid: false })) {
-			ulog(LOG_INFO, `Discovered cloud via lookup service ${redir.server}:${redir.port}\n`);
+		if (gateway_write({ server: controller_endpoint[0], port: controller_endpoint[1] || 15002, valid: false, hostname_validate: 1 })) {
+			ulog(LOG_INFO, `Discovered cloud via lookup service ${controller_endpoint[0]}:${controller_endpoint[1] || 15002}\n`);
                         client_start();
                 	set_state(VALIDATING);
 		}
+	} else {
+		ulog(LOG_INFO, 'Failed to discover cloud endpoint\n');
 	}
 }
 
 function discover_flash() {
 	if (!fs.stat('/etc/ucentral/gateway.flash'))
-		return false;
+		return 1;
 	ulog(LOG_INFO, 'Using pre-populated cloud information\n');
 	fs.writefile('/etc/ucentral/gateway.json', fs.readfile('/etc/ucentral/gateway.flash'));
 	client_start();
 	set_state(VALIDATING);
+	return 0;
 }
 
 function time_is_valid() {
@@ -210,7 +213,10 @@ function interval_handler() {
 		if (discover_dhcp())
 			return;
 
-		if (discover_flash())
+		if (system('/usr/bin/est_client enroll'))
+			return;
+
+		if (!discover_flash())
 			return;
 
 		redirector_lookup();
@@ -287,6 +293,25 @@ let ubus_methods = {
 
 		}
 	},
+	status: {
+		call: function(req) {
+			const names = [ 'discover', 'validate', 'online', 'offline', 'orphan' ];
+			let ret = { state: names[state] };
+			switch(state){
+			case OFFLINE:
+				ret.since = time() - offline_time;
+				break;
+			case ORPHAN:
+				ret.since = time() - orphan_time;
+				break;
+			case VALIDATING:
+				ret.since = time() - validate_time;;
+				break;
+			}
+			return ret;
+		},
+		args: {},
+	},
 };
 
 if (gateway_available()) {

feeds/tip/cloud_discovery/files/usr/bin/est_client

@@ -0,0 +1,172 @@
+#!/usr/bin/ucode
+
+'use strict';
+
+import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
+import * as fs from 'fs';
+
+
+ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "est_client");
+
+function generate_csr(cert) {
+	if (!fs.stat('/tmp/csr.nohdr.p10')) {
+		let pipe = fs.popen(`openssl x509 -in ${cert} -noout -subject`);
+		let subject = pipe.read("all");
+		pipe.close();
+		subject = rtrim(subject);
+		subject = replace(subject, 'subject=', '/');
+		subject = replace(subject, ' = ', '=');
+		subject = replace(subject, ', ', '/');
+
+		let ret = system(`openssl req -subj "${subject}" -new -key /etc/ucentral/key.pem -out /tmp/csr.p10`);
+		if (ret) {
+			ulog(LOG_INFO, 'Failed to generate CSR\n');
+			return 1;
+		}
+
+		let input = fs.open('/tmp/csr.p10', 'r');
+		let output = fs.open('/tmp/csr.nohdr.p10', 'w');
+		let line;
+		while (line = input.read('line')) {
+		        if (substr(line, 0, 4) == '----')
+		                continue;
+			output.write(line);
+		}
+		input.close();
+		output.close();
+		ulog(LOG_INFO, 'Generated CSR\n');
+	}
+	return 0;
+}
+
+function store_operational_cert(path, target) {
+	system('mount_certs');
+	system(`cp ${path} /certificates/${target}`);
+	system('store_certs');
+
+	ulog(LOG_INFO, `Persistently stored ${target}\n`);
+}
+
+function p7_too_pem(src, dst) {
+	let input = fs.readfile(src);
+	let output = fs.open('/tmp/convert.p7', 'w');
+	output.write('-----BEGIN PKCS #7 SIGNED DATA-----\n');
+	output.write(`${input}\n-----END PKCS #7 SIGNED DATA-----`);
+	output.close();
+
+	let ret = system(`openssl pkcs7 -outform PEM -print_certs -in /tmp/convert.p7 -out ${dst}`);
+	if (ret) {
+		ulog(LOG_INFO, 'Failed to convert P7 to PEM\n');
+		return 1;
+	}
+	
+	ulog(LOG_INFO, 'Converted P7 to PEM\n');
+	
+	return 0;
+}
+
+function call_est_server(cert, target) {
+	if (generate_csr(cert))
+		return 1;
+
+	let ret = system('curl -X POST https://qaest.certificates.open-lan.org:8001/.well-known/est/simpleenroll -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
+	if (ret) {
+		ulog(LOG_INFO, 'Failed to request operational certificate\n');
+		return 1;
+	}
+	ulog(LOG_INFO, 'EST succeeded\n');
+
+	return p7_too_pem('/tmp/operational.nohdr.p7', target);
+}
+
+
+function simpleenroll() {
+	if (fs.stat('/etc/ucentral/operational.pem')) {
+		ulog(LOG_INFO, 'Operational certificate is present\n');
+		return 0;
+	}
+
+	if (call_est_server('/etc/ucentral/cert.pem', '/etc/ucentral/operational.pem'))
+		return 1; 
+	
+	ulog(LOG_INFO, 'Operational cert acquired\n');
+	store_operational_cert('/etc/ucentral/operational.pem', 'operational.pem');
+	return 0;
+}
+
+function simplereenroll() {
+	if (!fs.stat('/etc/ucentral/operational.pem')) {
+		ulog(LOG_INFO, 'Operational certificate was not found\n');
+		return 0;
+	}
+
+	if (call_est_server('/etc/ucentral/operational.pem', '/tmp/operational.pem'))
+		return 1;
+	
+	ulog(LOG_INFO, 'Operational cert updated\n');
+	store_operational_cert('/tmp/operational.pem', 'operational.pem');
+
+	return 0;
+}
+
+function load_operational_ca() {
+	if (fs.stat('/etc/ucentral/operational.ca')) {
+		ulog(LOG_INFO, 'Operational CA is present\n');
+		return 0;
+	}
+	let ret = system('curl -X GET https://qaest.certificates.open-lan.org:8001/.well-known/est/cacerts --cert /etc/ucentral/cert.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.ca.nohdr.p7');
+	if (!ret)
+		ret = p7_too_pem('/tmp/operational.ca.nohdr.p7', '/etc/ucentral/operational.ca');
+	if (ret) {
+		ulog(LOG_INFO, 'Failed to load CA\n');
+		return 1;
+	}
+	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/operational.ca');
+	ulog(LOG_INFO, 'Acquired CA\n');
+	store_operational_cert('/etc/ucentral/operational.ca', 'operational.ca');
+	return 0;
+}
+
+function fwtool() {
+	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
+	let issuer = pipe.read("all");
+	pipe.close();
+
+	if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth CA/)))
+		return 0;
+
+	ulog(LOG_INFO, 'The issuer is insta\n');
+
+	let metadata = fs.readfile('/tmp/sysupgrade.meta');
+	if (metadata)
+		metadata = json(metadata);
+	if (!metadata)
+		return 0;
+
+	if (!metadata.est_supported) {
+		ulog(LOG_INFO, 'The image does not support EST\n');
+		return 1;
+	}
+	ulog(LOG_INFO, 'The image supports EST\n');
+
+	return 0;
+}
+
+switch(ARGV[0]) {
+case 'enroll':
+	if (simpleenroll())
+		exit(1);
+
+	if (load_operational_ca())
+		exit(1);
+
+	exit(0);
+
+case 'reenroll':
+	if (simplereenroll())
+		exit(1);
+	exit(0);
+
+case 'fwtool':
+	exit(fwtool());
+}

feeds/tip/cloud_discovery/files/usr/share/ucentral/cloud_discovery.uc

@@ -5,6 +5,7 @@ import * as fs from 'fs';
 
 let cmd = ARGV[0];
 let ifname = getenv("interface");
+let opt224 = getenv("opt138");
 let opt224 = getenv("opt224");
 
 if (cmd != 'bound' && cmd != 'renew')
@@ -21,6 +22,13 @@ if (file.server && file.port && file.valid)
 let cloud = {
 	lease: true,
 };
+if (opt138) {
+	let dhcp = hexdec(opt138);
+	dhcp = split(dhcp, ':');
+	cloud.dhcp_server = dhcp[0];
+	cloud.dhcp_port = dhcp[1] ?? 15002;
+	cloud.no_validation = true;
+}
 if (opt224) {
 	let dhcp = hexdec(opt224);
 	dhcp = split(dhcp, ':');
@@ -29,7 +37,7 @@ if (opt224) {
 }
 fs.writefile('/tmp/cloud.json', cloud);
 
-if (opt224 && cmd == 'renew') {
+if ((opt138 || opt224) && cmd == 'renew') {
 	let ubus = libubus.connect();
 	ubus.call('cloud', 'renew');
 }

feeds/tip/firstcontact/Makefile

@@ -1,25 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=firstcontact
-PKG_RELEASE:=1
-
-PKG_LICENSE:=BSD-3-Clause
-PKG_MAINTAINER:=John Crispin <john@phrozen.org>
-
-include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/cmake.mk
-
-define Package/firstcontact
-  SECTION:=ucentral
-  CATEGORY:=uCentral
-  TITLE:=TIP DigiCert firstcontact
-  DEPENDS:=+libubox +libcurl +libopenssl +certificates
-endef
-
-define Package/firstcontact/install
-	$(INSTALL_DIR) $(1)/usr/sbin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/digicert $(1)/usr/sbin/
-	$(CP) ./files/* $(1)
-endef
-
-$(eval $(call BuildPackage,firstcontact))

feeds/tip/firstcontact/files/etc/init.d/firstcontact

@@ -1,12 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=99
-USE_PROCD=1
-PROG=/usr/bin/ucode
-
-start_service() {
-	procd_open_instance
-	procd_set_param command "$PROG" -l uci -l fs /usr/share/ucentral/firstcontact.uc
-	procd_set_param respawn 1 10 0
-	procd_close_instance
-}

feeds/tip/firstcontact/files/etc/uci-defaults/zzz-firstcontact

@@ -1,3 +0,0 @@
-#!/bin/sh
-[ -f "/etc/ucentral/gateway.json" ] && /etc/init.d/firstcontact disable
-[ -f "/etc/ucentral/gateway.json" ] || /etc/init.d/ucentral disable

feeds/tip/firstcontact/files/usr/share/ucentral/firstcontact.uc

@@ -1,83 +0,0 @@
-let config = {};
-
-function store_config() {
-	let redir = split(config.Redirector, ":");
-	let gw = {
-		server: redir[0],
-		port: redir[1] || 15002
-	};
-	fs.writefile('/etc/ucentral/gateway.json', gw);
-}
-
-function store_config_uci(path) {
-        let cursor = uci.cursor(path);
-        let redir = split(config.Redirector, ":");
-
-        cursor.load("ucentral");
-        cursor.set("ucentral", "config", "server", redir[0]);
-        cursor.set("ucentral", "config", "port", redir[1] || 15002);
-        cursor.commit();
-}
-
-function digicert() {
-	let devid;
-	let fd = fs.open("/etc/ucentral/dev-id", "r");
-	if (!fd) {
-		warn("firstcontact: failed to find device id");
-		exit(1);
-	}
-	devid = fd.read("all");
-	fd.close();
-
-	ret = system(sprintf('/usr/sbin/digicert -i %s', devid));
-	if (ret) {
-		warn("firstcontact failed to contact redirector, check DHCP option\n");
-		let fd = fs.open("/tmp/capwap/dhcp_opt.txt", "r");
-		if (!fd) {
-			warn("No redirector found\n");
-			exit(1);
-		} else {
-			config.Redirector = fd.read("all");
-			fd.close();
-		}
-	} else {
-		let redirector = { };
-		let fd = fs.open("/etc/ucentral/redirector.json", "r");
-		if (fd) {
-			let data = fd.read("all");
-			fd.close();
-
-			try {
-				redirector = json(data);
-			}
-			catch (e) {
-				warn("firstcontact: Unable to parse JSON data in %s: %s", path, e);
-
-				exit(1);
-			}
-		}
-
-		for (let r in redirector.fields)
-			if (r.name && r.value)
-				config[r.name] = r.value;
-		if (!config.Redirector) {
-			warn("Reply is missing Redirector field\n");
-			exit(1);
-		}
-
-	}
-}
-
-if (!fs.stat('/etc/ucentral/gateway.json')) {
-	digicert();
-	store_config();
-	store_config_uci();
-	store_config_uci("/etc/config-shadow/");
-	warn("firstcontact: managed to look up redirector\n");
-}
-
-system("/etc/init.d/ucentral enable");
-system("/etc/init.d/firstcontact disable");
-system("reload_config");
-system("/etc/init.d/ucentral start");
-system("/etc/init.d/firstcontact stop");

feeds/tip/firstcontact/src/CMakeLists.txt

@@ -1,13 +0,0 @@
-cmake_minimum_required(VERSION 2.6)
-
-PROJECT(digicert C)
-INCLUDE(GNUInstallDirs)
-ADD_DEFINITIONS(-Os -ggdb -Wall -Werror --std=gnu99 -Wmissing-declarations)
-
-SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
-
-ADD_EXECUTABLE(digicert digicert.c)
-TARGET_LINK_LIBRARIES(digicert curl crypto ssl ubox)
-INSTALL(TARGETS digicert
-	RUNTIME DESTINATION ${CMAKE_INSTALL_SBINDIR}
-)

feeds/tip/firstcontact/src/digicert.c

@@ -1,104 +0,0 @@
-#define _GNU_SOURCE
-#include <stdio.h>
-#include <unistd.h>
-#include <getopt.h>
-
-#include <curl/curl.h>
-
-#include <libubox/ulog.h>
-
-static const char *file_cert = "/etc/ucentral/cert.pem";
-static const char *file_key  = "/etc/ucentral/key.pem";
-static const char *file_json = "/etc/ucentral/redirector.json";
-static const char *file_dbg  = "/tmp/digicert.hdr";
-
-int main(int argc, char **argv)
-{
-	FILE *fp_json;
-	FILE *fp_dbg;
-	CURLcode res;
-	CURL *curl;
-	char *devid = NULL;
-	char *url;
-
-	alarm(15);
-
-	while (1) {
-		int option = getopt(argc, argv, "k:c:o:hi:");
-
-		if (option == -1)
-			break;
-
-		switch (option) {
-		case 'k':
-			file_key = optarg;
-			break;
-		case 'c':
-			file_cert = optarg;
-			break;
-		case 'o':
-			file_json = optarg;
-			break;
-		case 'i':
-			devid = optarg;
-			break;
-		default:
-		case 'h':
-			printf("Usage: digicert OPTIONS\n"
-			       "  -k <keyfile>\n"
-			       "  -c <certfile>\n"
-			       "  -o <outfile>\n"
-			       "  -i <devid>\n");
-			return -1;
-		}
-	}
-
-	if (!devid) {
-		fprintf(stderr, "missing devid\n");
-		return -1;
-	}
-
-	ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "digicert");
-	ULOG_INFO("attempting first contact\n");
-
-	fp_dbg = fopen(file_dbg, "wb");
-	fp_json = fopen(file_json, "wb");
-	if (!fp_json) {
-		ULOG_ERR("failed to create %s\n", file_json);
-		return -1;
-	}
-
-	curl_global_init(CURL_GLOBAL_DEFAULT);
-	curl = curl_easy_init();
-	if (!curl) {
-		ULOG_ERR("curl_easy_init failed\n");
-		return -1;
-	}
-
-	if (asprintf(&url, "https://clientauth.one.digicert.com/iot/api/v2/device/%s", devid) < 0) {
-		ULOG_ERR("failed to assemble url\n");
-		return -1;
-	}
-
-	curl_easy_setopt(curl, CURLOPT_URL, url);
-	curl_easy_setopt(curl, CURLOPT_WRITEDATA, fp_json);
-	curl_easy_setopt(curl, CURLOPT_HEADERDATA, fp_dbg);
-	curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
-	curl_easy_setopt(curl, CURLOPT_SSLCERT, file_cert);
-	curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "PEM");
-	curl_easy_setopt(curl, CURLOPT_SSLKEY, file_key);
-	curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
-	curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 10L);
-
-	res = curl_easy_perform(curl);
-	if (res != CURLE_OK)
-		ULOG_ERR("curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
-	else
-		ULOG_INFO("downloaded first contact data\n");
-	curl_easy_cleanup(curl);
-	curl_global_cleanup();
-
-	ulog_close();
-
-	return (res != CURLE_OK);
-}

feeds/tip/luci/luci-mod-ucentral/root/sbin/certupdate

@@ -17,14 +17,16 @@ mkdir -p /tmp/certs
 tar x -C /tmp/certs -f /tmp/certs.tar
 
 # make sure the required files exist
-[ -f /tmp/certs/cas.pem -a -f /tmp/certs/key.pem -a -f /tmp/certs/cert.pem ] || exit 1
-[ -f /tmp/certs/gateway.json -o -f /tmp/certs/dev-id ] || exit 1
+[ -f /tmp/certs/key.pem -a -f /tmp/certs/cert.pem ] || exit 1
 
 # copy the certificates to /etc
 cp /tmp/certs/*.pem /certificates
 
+# remove old operational certs
+rm /certificates/operational.*
+
 # copy dev-id or gateway.json
-for a in dev-id gateway.json; do
+for a in gateway.json; do
 	if [ -f /tmp/certs/$a ]; then
 		cp /tmp/certs/$a /certificates
 	else

feeds/tip/tip-defaults/files/etc/ucentral/insta.pem

@@ -0,0 +1,6 @@
+-----BEGIN CERTIFICATE-----
+MIIFajCCA1KgAwIBAgICDnowDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3BlbkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAwWjAgMR4wHAYDVQQDExVPcGVuTEFOIERlbW8gQmlydGggQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDVWIyySul6Fv4wl1O+DQpaLRa0p+Az5L/jcqTpdVf6w+8tlmeIY9C28uDQoDjewrIkvf3lcfK86nshs02s9ehqZUnEP8+GvKM19x3JbWxeTvWwFirjHir4x897iQ606bAMbrHHtntI9ZyBZyXDGeElGJxJQNX+0d50SFq609cB3yxpBPJ67ag+4Oq0uHgROHjEQMrfwLwlAune0c1fjQDrN14PDNjMZHvvhc/pkAHxR1PP6LOFNV5NuQ58tC5N7R2EqqFbIJ8VZgcagrGRYuAuFFTaV+D7RIt9xGTuWlCyxHI7VkRBJ1mRoEr4GOrP9QFjBD8NzNK+/wnR/fZwhpEnRsgHiI33wKHBDg+l3r8tvRzuB5X6Gl/SfuAeaoCuDHMncTjQg1zGhyEwjQhUe4RY3w+yHAjeeOE6c5spOMDDdaBibkzLmSjXztuLeAdzsUcD3fvGeOvh9vG14TKEmF8puNkqEcc0W8NyUWKFdr9umdJEMbaRSSsMGtp8bDj3Ddh4PhEJrIFeo89+HwXhU6sk+wzE9BULTohahsfwOV/08t1cZ3Q04Oj1KI+4YWu8BJns5gX35rQ8GIbkXQwfvFMwqmbg+ij2o9HWdkSL4bcqW/83Ho+31ce210rVGPK9cav0CjA2Eexgxi45cbgnfoade74Qa5zXboJEBmp7rbo4swIDAQABo4GuMIGrMB8GA1UdIwQYMBaAFDzIg8eyTI3xc4A2R60f8HanhBZDMB0GA1UdDgQWBBS5xC3inqLQl+vxzn9PsjNzlZ5hYDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vZGVtby5jZXJ0aWZpY2F0ZS5maS9jcmwvT3BlbkxBTkRlbW9Sb290Q0EuY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQA9DJEjsDLqtSFkF0XTWfzbebXA+X8++Qmiukrw0s2LRx798ce0mVITRAFDLf78BeUYF0B+PQ8hgq4fWyFsXRgZVrITd1BszT3LJ2r/6xWQJVpVHzLqKgIlW/PY/uTUz+xqR0Ev6hYrmrjfya0K0XEZZqxkmrTrcECaA3RCFkWQl9ZUlb9BClmdhayO8x1XpJplIYAMKVuoPL9IUQH6HUPFnzlPNQHIK9gcFACtgPVWCJg3IAvSLa41KpRxTDwGFvlrNKtkBlGRYhFGCHWXXZn8fdQHW9vykkkfPOaPR/AVyuRzfAT6wbtVWSy38BurSdqSCuNQPQBfF2vMeUGwNbD/7B4tYrWVtnIbgxRPKvX0o3mZkKry6BJf2m/AKWA16W+i4ojnPRORLTTq9cEZ0WL6NRHCgMrbWaCs/+ADTErqK6cv7GhoOVEiqugvnz93dit2IXg4zdDJ4hF9ZSlicwgZKVvMqnNQ1iiXezIQBehgYcWwXRIfdrRPe88HgkySuDZ2lkKYdc+oTc6e7upRh4Kh2ZSipcRb6ehPan533jnQJyU8A9vFAJiQfZZ4lD3tcsqlsDnlu5YEDYSjcfnkyOH/Mlx5VVTWYGvqNNVKRDw2slSxKwVCobkcF/2dAxP9DqOaGaCnMeOaR7kMaBm5d1fwb+bCl9usQAELjZBv2vAH8g==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFIDCCAwigAwIBAgICDnkwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3BlbkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAwWjAfMR0wGwYDVQQDDBRPcGVuTEFOIERlbW8gUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMjExylKdJWoJu9mOHPJ6yZFXKe1lE467G65acpS2FKIWnPVFjNCmATMpkMOIFzEFwyFdbQjzOidtiL+73zlE52lOJpXCfOcxDFqDYDJJ8//J1/gQWsBaKpSvgLiHU/0awkQg+yJYZpj8YZa4NkFe+zTjQScSfOsqPPb3rZ7DOQ2BKAhjVShKmVbtNil0iO0zm8vE8DNkktTNMREp2pzb8MbCAgfOkwlrby6T+rV3TvmjThGdFUb5lWDFxWtlF8W0SUII9qj7p5TdGpryeLsO0nZTBtS4HxZNdvmKOHfgcRHmSZIJigB2NzKLNrXF9JBW0WnUSwZJZAG2C1RTx6lADILPueuusyfR/hZ3koKi4PHnSiTwQghzia9K9QjNHq5z9R9ZoCnhBg1VyU4LKmp862L0sIp2vgnOYunEIi9aCYBaDwo+0FuVjZuXyDIatwVuA7TN5IWPHA6XLdOt1mmkeYy1Ldr4XHjdondhtOyeei1UFXmyyLm2+kmRYfTm91TqYmNzRgbRV2NHO50AmsnBknX4Rv3gishGe0+dV5yFcUwZud0z2rSCkuoai5tKrPT+6Y6NqkT9u9HFifIBXnLwEzVUqHRtW6SuWj2DClVQIXIUZtFnhY4GuTuf6DlzgnXO58oDVCZmCW4ULIpbqGeRsvBHR8Sw5JXP/1+TMUYhE8TAgMBAAGjZjBkMB8GA1UdIwQYMBaAFDzIg8eyTI3xc4A2R60f8HanhBZDMB0GA1UdDgQWBBQ8yIPHskyN8XOANketH/B2p4QWQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAgEAkHZ5KR8IOrdfMFy+iOvauvZxfQ84LL6TpB2FQKDjneJUdd7c29UJJFNW/0mp4Gc6jKZab6J8Dx/pNnbH0RqFjGjeRGtJ4Sk0G7gf9zw1S7qut5WJDcisM9l/wXC+zy/KSKKPQmbt0grWOtU7+NNPh1YU76hIrInq/u2sVZyKH8SXQ957fbJk6BX6JTKyNEn05AB6rNSrbOWo8sy2MlcJ7bBsrWYI1t6GcWFh4b36bLu7/dKJWpyFNXXIkKJsgMEDpEQae56+fSSDo0KRNtYB82fNZDIQlGK81rGJWNzAahM+3GD1tgk/3ZVugfaJhcBpoHHKNOGqZAvtirLAIDocno7AzqoeIz974Rh2Olsl2/arApYPyyfi8PMYuFe/d4h+Wie8n+jh5n48lZ2Ve4PK+j+QHD6tTZS4f0bGnPL1puMxzQloltuQWgLDeVfEgrc3snLvjOg8aDzWm/es85lP8XcyW54U4t3JmrNUC2C7v+Uafx7cL7eDeunhs+BRhtGV+IUmjub2IrpqZp3zZqn+LVRdYJIy/qHhjS5+ImckXkFojOmeWhfmEmYSuNP8Oa6cGuXp829qnbxLh9Qzi3TfXV883KLse4kL5Zl7gBA/4hz2hVMyGJ8fY+VvzbaTuOXyvKJ+rGZCTcRSeotBLnIevVMiL7SqOEwN0j4Mfbznfq8=
+-----END CERTIFICATE-----

feeds/ucentral/poe/Makefile

@@ -0,0 +1,42 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=poe
+PKG_VERSION:=1.0
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+ifeq ($(CONFIG_TARGET_ipq50xx_generic_DEVICE_sonicfi_rap630w_311g),y)
+TARGET_CFLAGS += -DPLATFORM_EWW631_B1=1
+endif
+
+define Package/poe
+	SECTION:=utils
+	CATEGORY:=Utilities
+	TITLE:=Turn on/off PoE ports with TSP23861 chipset
+	DEPENDS:= +libubox +libubus +libuci +libi2c
+endef
+
+define Package/poe/description
+  Turn on/off PoE ports
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+	$(CP) ./src/* $(PKG_BUILD_DIR)/
+endef
+
+
+define Package/poe/install
+	$(INSTALL_DIR) $(1)
+	$(INSTALL_DIR) $(1)/etc/config $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/poe.init $(1)/etc/init.d/poe
+	$(INSTALL_BIN) ./files/poe.config $(1)/etc/config/poe
+
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tps23861-poe-ctrl $(1)/usr/bin
+endef
+
+$(eval $(call BuildPackage,poe))

feeds/ucentral/poe/files/poe.init

@@ -0,0 +1,33 @@
+#!/bin/sh /etc/rc.common
+
+START=10
+
+tps23861_poe_ctrl () {
+	local section="$1"
+	local num mode
+	config_get num "$section" port_num
+	config_get mode "$section" admin_mode
+	
+	if [ "$mode" == "1" ]; then
+		output=$(tps23861-poe-ctrl -p "${num}" -P on)
+		echo "<6>${output}" > "/dev/kmsg"
+	else
+		output=$(tps23861-poe-ctrl -p "${num}" -P off)
+		echo "<6>${output}" > "/dev/kmsg"
+	fi
+}
+
+start(){
+	. /lib/functions.sh
+	
+	board=$(board_name)
+	case $board in
+	sonicfi,rap630w-311g|\
+	cybertan,eww631-b1)
+		config_load poe
+		config_foreach tps23861_poe_ctrl port
+		;;
+	*)
+		;;
+	esac
+}

feeds/ucentral/poe/src/Makefile

@@ -0,0 +1,26 @@
+CFLAGS += -Wall -g
+
+INCLUDES =
+
+LDFLAGS = -lubus -lubox -li2c
+
+LIBS = 
+
+SRCS = tps23861-poe-ctrl.c \
+
+OBJS = $(SRCS:.c=.o)
+
+MAIN = tps23861-poe-ctrl
+
+
+all:   $(MAIN) 
+
+$(MAIN): $(OBJS)
+	$(CC) $(CFLAGS) $(INCLUDES) -o $(MAIN) $(OBJS) $(LDFLAGS) $(LIBS)
+	
+.c.o:
+	$(CC) $(CFLAGS) $(INCLUDES) -c $<  -o $@
+
+clean:
+	$(RM) *.o *~ $(MAIN) $(TEST)
+

feeds/ucentral/poe/src/tps23861-poe-ctrl.c

@@ -0,0 +1,215 @@
+/*
+ * User-space daemon formonitoring and managing PoE ports with
+ * TI TPS23861 chips. based on the Linux Kernel TPS23861
+ * HWMON driver.
+*/
+
+#include <stdio.h>		/* Standard input/output definitions */
+#include <string.h>		/* String function definitions */
+#include <unistd.h>		/* UNIX standard function definitions */
+#include <fcntl.h>		/* File control definitions */
+#include <errno.h>		/* Error number definitions */
+#include <sys/ioctl.h>
+#include <linux/i2c.h>
+#include <linux/i2c-dev.h>  /* uapi/linux/i2c-dev.h */
+
+#include <libubox/ulog.h>
+
+#define TPS23861_I2C_ADDR				0x20
+#define DETECT_CLASS_RESTART			0x18
+#define POWER_ENABLE					0x19
+#define POWER_ON_SHIFT					0
+#define POWER_OFF_SHIFT					4
+
+typedef unsigned char	u8;
+
+#if defined(PLATFORM_EWW631_B1)
+#define TPS23861_NUM_PORTS				1
+#endif
+
+#define CONVERT_PORT_NUM(x)				(1 << ((u8)x-1))
+
+unsigned int  PORT_POWER_STATUS[TPS23861_NUM_PORTS];
+
+int i2c_handler = -1;
+#define ULOG_DBG(fmt, ...) ulog(LOG_DEBUG, fmt, ## __VA_ARGS__)
+
+int open_device(void)
+{
+	int fd, fset;
+
+	fd = open("/dev/i2c-0", O_RDWR);
+	fset = fcntl(fd, F_SETFL, 0);
+	if (fset < 0)
+		printf("fcntl failed!\n");
+
+	//if (isatty(STDIN_FILENO) == 0)
+	//	printf("standard input is not a terminal device\n");
+
+	return fd;
+}
+
+int access_salve(int fd)
+{
+	int ret;
+
+	if((ret = ioctl(fd, I2C_SLAVE, TPS23861_I2C_ADDR)) < 0)
+	{
+		printf("%s: Failed to access slave bus[%s]\n",__func__, strerror(errno));
+		return -1;
+	}
+	return(ret);
+}
+
+// Write to an I2C slave device's register:
+int i2c_write(u8 slave_addr, u8 reg, u8 data)
+{
+	u8 outbuf[2];
+
+	struct i2c_msg msgs[1];
+	struct i2c_rdwr_ioctl_data msgset[1];
+
+	outbuf[0] = reg;
+	outbuf[1] = data;
+
+	msgs[0].addr = slave_addr;
+	msgs[0].flags = 0;
+	msgs[0].len = 2;
+	msgs[0].buf = outbuf;
+
+	msgset[0].msgs = msgs;
+	msgset[0].nmsgs = 1;
+
+	if (ioctl(i2c_handler, I2C_RDWR, &msgset) < 0) {
+		perror("ioctl(I2C_RDWR) in i2c_write");
+		return -1;
+	}
+
+	return 0;
+}
+
+void poe_set_PowerOnOff(u8 port, u8 on_off) {
+	u8 value;
+	u8 portBit;
+	portBit = CONVERT_PORT_NUM(port+1);
+
+	if(on_off == 0) {
+		value = (portBit << POWER_OFF_SHIFT);
+		PORT_POWER_STATUS[port] = 0;
+	} else {
+		value = (portBit << POWER_ON_SHIFT);
+		PORT_POWER_STATUS[port] = 1;
+	}
+
+	ULOG_DBG("set Port%d Power Status [%d] portBit 0x[%x] value 0x[%x]\n", port+1, PORT_POWER_STATUS[port], portBit, value);
+
+	if(i2c_write(TPS23861_I2C_ADDR, POWER_ENABLE, value) < 0)
+	{
+		ULOG_ERR("Set port%d power on-off error (0x19)\n", port);
+	}
+}
+
+void RestartPortDetectClass(u8 port)
+{
+	u8 value;
+
+	value = (1 << port) | (1 << (port + 4));
+	ULOG_DBG("RestartPortDetectClass value 0x%x\n", value);
+	if(i2c_write(TPS23861_I2C_ADDR, DETECT_CLASS_RESTART, value) < 0) {
+			ULOG_ERR("Set port%d detection and class on error\n",port);
+	}
+}
+
+int usage(const char *progname)
+{
+	fprintf(stderr, "Usage: %s -p <1-3> -P <on|off> [options]\n"
+			"Required options:\n"
+			"  -p <1-3>:           Select port number (Only port 1 is supported)\n"
+			"  -P <on|off>:        Set PSE function state <on|off>\n"
+			"Optional options:\n"
+			"  -d                  Enable debug mode\n"
+			"\n", progname);
+	return 1;
+}
+
+static int setPSE(int port ,char *optarg)
+{
+	int ret = 0;
+	i2c_handler = open_device();
+	if (i2c_handler < 0) {
+		ULOG_ERR("open i2c-0 device error!\n");
+		goto EXIT;
+	}
+
+	ret = access_salve(i2c_handler);
+	if (ret < 0)
+	{
+		ULOG_ERR("The i2c-0 access error\n");
+		goto EXIT;
+	}
+
+	if(!strncmp("on", optarg, 2)) {
+		printf("Enable port%d PSE function\n", port);
+		RestartPortDetectClass(port-1);
+	}
+	else if (!strncmp("off", optarg, 3)) {
+		printf("Disable port%d PSE function\n", port);
+		poe_set_PowerOnOff(port-1, 0);
+	}
+	else {
+		ULOG_ERR("[Set] Do not accept this optarg!!!\n");
+		ret = 1;
+	}
+EXIT:
+	close(i2c_handler);
+	return ret;
+}
+
+int main(int argc, char *argv[])
+{
+	int ch, ret = 0, port = 0;
+	char *PSE = NULL;
+	if (argc == 1) {
+		return usage(argv[0]);
+	}
+
+
+	ulog_open(ULOG_STDIO | ULOG_SYSLOG, LOG_DAEMON, "tps23861");
+	ulog_threshold(LOG_INFO);
+
+	while ((ch = getopt(argc, argv, "dp:P:")) != -1) {
+		switch (ch) {
+		case 'd':
+			printf("tps23861-i2c-control ulog_threshold set to debug level\n");
+			ulog_threshold(LOG_DEBUG);
+			break;
+
+		case 'p':
+			port = atoi(optarg);
+			break;
+
+		case 'P':
+			PSE = optarg;
+			break;
+
+		default:
+			ret = usage(argv[0]);
+			break;
+		}
+	}
+
+	if (port < 1 || port > 3) {
+		ret = usage(argv[0]);
+	}
+	else {
+		if (PSE) {
+			setPSE(port, PSE);
+		}
+		else {
+			ret = usage(argv[0]);
+		}
+	}
+
+	return ret;
+
+}

feeds/ucentral/ucentral-client/Makefile

@@ -4,10 +4,10 @@ PKG_NAME:=ucentral-client
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-client.git
-PKG_MIRROR_HASH:=20d0573e5460ae9780307ab9d54234bb75d3b98fb36806f896819918087b14df
+PKG_MIRROR_HASH:=7dfeaedf141a6377de2dc6bcd646b1640201f204db42af52777d018700bc991c
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2024-10-20
-PKG_SOURCE_VERSION:=8c45f965c30d1cf11e3a5a625a5e2baf3178697f
+PKG_SOURCE_DATE:=2025-06-27
+PKG_SOURCE_VERSION:=08a842d9921196821a19d52b9061db6c428aab3f
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>

feeds/ucentral/ucentral-client/files/etc/init.d/cpm

@@ -0,0 +1,14 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=01
+
+boot() {
+    mkdir -p /tmp/cpm/ || { logger -t init "Failed to create /tmp/cpm"; exit 1; }
+    opkg list-installed > /tmp/packages.state || { logger -t init "Failed to list packages"; exit 1; }
+    if [ -x /usr/share/ucentral/package_list.uc ]; then
+        /usr/share/ucentral/package_list.uc || { logger -t init "Failed to execute package_list.uc"; exit 1; }
+    else
+        logger -t init "package_list.uc not found or not executable"
+    fi
+}

feeds/ucentral/ucentral-schema/Makefile

@@ -4,10 +4,10 @@ PKG_NAME:=ucentral-schema
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-schema.git
-PKG_MIRROR_HASH:=c641622188b9b378550c21b1dcfa105b08a60e534d7d77ae63001d38a3e95cd8
+PKG_MIRROR_HASH:=aac8731d564f4ccd85a366417b9a02c1d3de9b6533d1474b58768249c50707f1
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2025-01-27
-PKG_SOURCE_VERSION:=ac3a1c7c25339de11e005dd4d1d4007a0c00c4b6
+PKG_SOURCE_DATE:=2025-06-27
+PKG_SOURCE_VERSION:=125a148764c9ef7a02086b6fadccd7b96bfdf591
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause
 

feeds/ucentral/ucentral-schema/files/etc/uci-defaults/99-ucentral-poe

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+board=$(board_name)
+case $board in
+	sonicfi,rap630w-311g|\
+	cybertan,eww631-b1)
+		for num in $(seq 1 3)
+		do
+			uci add poe port
+			uci set poe.@port[-1]='port'
+			eval uci set poe.@port[-1].port_num='${num}'
+			uci set poe.@port[-1].admin_mode='1'
+		done
+		uci commit
+		;;
+	*)
+		;;
+esac

patches/0029-netifd-Support-DHCP-option-138-and-store-values-in-t.patch

@@ -1,93 +0,0 @@
-From e4ad9777fae3bb3a71988fa738f16cb8d6884d7e Mon Sep 17 00:00:00 2001
-From: Tanya Singh <tanya_singh@accton.com>
-Date: Tue, 28 Jun 2022 17:11:52 +0800
-Subject: [PATCH 29/68] netifd: Support DHCP option 138 and store values in
- /tmp/capwap/dhcp_opt.txt
-
-Signed-off-by: Tanya Singh <tanya_singh@accton.com>
----
- .../netifd/files/lib/netifd/dhcp.script       | 22 +++++++++++++++++++
- .../netifd/files/lib/netifd/proto/dhcp.sh     |  1 +
- .../busybox/patches/531-dhcp_opt_capwap.patch | 18 +++++++++++++++
- 3 files changed, 41 insertions(+)
- create mode 100644 package/utils/busybox/patches/531-dhcp_opt_capwap.patch
-
-diff --git a/package/network/config/netifd/files/lib/netifd/dhcp.script b/package/network/config/netifd/files/lib/netifd/dhcp.script
-index 6fcf139beb..29de85f221 100755
---- a/package/network/config/netifd/files/lib/netifd/dhcp.script
-+++ b/package/network/config/netifd/files/lib/netifd/dhcp.script
-@@ -4,6 +4,24 @@
- . /lib/functions.sh
- . /lib/netifd/netifd-proto.sh
- 
-+WORKING_PATH=/tmp/capwap
-+DHCP_OPT_FILE=${WORKING_PATH}/dhcp_opt.txt
-+DHCP_OPT_FILE_TMP=${WORKING_PATH}/dhcp_opt_tmp.txt
-+
-+set_capwap_ip()
-+{
-+	local ip
-+	if [ ! -d "${WORKING_PATH}" ]; then
-+		mkdir -p ${WORKING_PATH}
-+	fi
-+	for ip in ${capwap}; do
-+		echo -n ${ip} >> ${DHCP_OPT_FILE_TMP}
-+	done
-+	if ! cmp -s "${DHCP_OPT_FILE}" "${DHCP_OPT_FILE_TMP}"; then
-+		mv ${DHCP_OPT_FILE_TMP} ${DHCP_OPT_FILE}
-+	fi
-+}
-+
- set_classless_routes() {
- 	local max=128
- 	while [ -n "$1" -a -n "$2" -a $max -gt 0 ]; do
-@@ -111,6 +129,10 @@ case "$1" in
- 	;;
- esac
- 
-+if [ -n "${capwap}" ]; then
-+	set_capwap_ip
-+fi
-+
- # user rules
- [ -f /etc/udhcpc.user ] && . /etc/udhcpc.user "$@"
- for f in /etc/udhcpc.user.d/*; do
-diff --git a/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh b/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh
-index 636b4654ff..18a9aaf2a3 100755
---- a/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh
-+++ b/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh
-@@ -61,6 +61,7 @@ proto_dhcp_setup() {
- 	[ "$delegate" = "0" ] && proto_export "IFACE6RD_DELEGATE=0"
- 	# Request classless route option (see RFC 3442) by default
- 	[ "$classlessroute" = "0" ] || append dhcpopts "-O 121"
-+	append dhcpopts "-O 138"
- 
- 	proto_export "INTERFACE=$config"
- 	proto_run_command "$config" udhcpc \
-diff --git a/package/utils/busybox/patches/531-dhcp_opt_capwap.patch b/package/utils/busybox/patches/531-dhcp_opt_capwap.patch
-new file mode 100644
-index 0000000000..6c60159555
---- /dev/null
-+++ b/package/utils/busybox/patches/531-dhcp_opt_capwap.patch
-@@ -0,0 +1,18 @@
-+--- a/networking/udhcp/common.c	2022-06-28 09:32:48.853072914 +0800
-++++ b/networking/udhcp/common.c	2022-06-28 09:39:28.000000000 +0800
-+@@ -54,6 +54,7 @@
-+ 	{ OPTION_STRING                           , 0x43 }, /* DHCP_BOOT_FILE     */
-+ //TODO: not a string, but a set of LASCII strings:
-+ //	{ OPTION_STRING                           , 0x4D }, /* DHCP_USER_CLASS    */
-++	{ OPTION_IP	| OPTION_LIST				  , 0x8A }, /* DHCP_CAPWAP       */
-+ 	{ OPTION_STRING                           , 0x64 }, /* DHCP_PCODE         */
-+ 	{ OPTION_STRING                           , 0x65 }, /* DHCP_TCODE         */
-+ #if ENABLE_FEATURE_UDHCP_RFC3397
-+@@ -123,6 +124,7 @@
-+ 	"tftp" "\0"             /* DHCP_TFTP_SERVER_NAME*/
-+ 	"bootfile" "\0"         /* DHCP_BOOT_FILE       */
-+ //	"userclass" "\0"        /* DHCP_USER_CLASS      */
-++	"capwap" "\0"      		/* DHCP_CAPWAP		*/
-+ 	"tzstr" "\0"            /* DHCP_PCODE           */
-+ 	"tzdbstr" "\0"          /* DHCP_TCODE           */
-+ #if ENABLE_FEATURE_UDHCP_RFC3397
--- 
-2.34.1
-

patches/0091-fwtool-check-for-EST-support-if-the-cert-was-issued-.patch

@@ -0,0 +1,43 @@
+From 8e70ae7c71fb0a31b3b95f156b2d865ba8a07ae8 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Fri, 13 Jun 2025 12:06:48 +0200
+Subject: [PATCH] fwtool: check for EST support if the cert was issued by insta
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ include/image-commands.mk                      | 3 ++-
+ package/base-files/files/lib/upgrade/fwtool.sh | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/include/image-commands.mk b/include/image-commands.mk
+index d3c9cea293..b7a0d98d3d 100644
+--- a/include/image-commands.mk
++++ b/include/image-commands.mk
+@@ -85,7 +85,8 @@ metadata_json = \
+ 			"revision": "$(call json_quote,$(REVISION))", \
+ 			"target": "$(call json_quote,$(TARGETID))", \
+ 			"board": "$(call json_quote,$(if $(BOARD_NAME),$(BOARD_NAME),$(DEVICE_NAME)))" \
+-		} \
++		}, \
++		"est_supported": 1 \
+ 	}'
+ 
+ define Build/append-metadata
+diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
+index 8bd00a3332..a84eb96baf 100644
+--- a/package/base-files/files/lib/upgrade/fwtool.sh
++++ b/package/base-files/files/lib/upgrade/fwtool.sh
+@@ -51,6 +51,10 @@ fwtool_check_image() {
+ 	json_get_var compatmessage compat_message
+ 	[ -n "$imagecompat" ] || imagecompat="1.0"
+ 
++	if ! est_client fwtool; then
++		return 1
++	fi
++
+ 	# select correct supported list based on compat_version
+ 	# (using this ensures that compatibility check works for devices
+ 	#  not knowing about compat-version)
+-- 
+2.34.1
+

profiles/cig_wf189.yml

@@ -13,3 +13,4 @@ packages:
   - ipq53xx
   - ftm
   - qca-ssdk-shell
+  - kmod-cig-poe-judgment 

profiles/cig_wf189h.yml

@@ -12,3 +12,4 @@ include:
 packages:
   - ipq53xx
   - qca-ssdk-shell
+  - kmod-cig-poe-judgment 

profiles/cig_wf189w.yml

@@ -12,3 +12,4 @@ include:
 packages:
   - ipq53xx
   - qca-ssdk-shell
+  - kmod-cig-poe-judgment 

profiles/cig_wf672.yml

@@ -21,3 +21,4 @@ packages:
   - kmod-gpio-pca953x
   - kmod-hwmon-tmp103
   - kmod-iio-ilps22qs
+  - kmod-cig-poe-judgment 

profiles/sonicfi_rap630w-311g.yml

@@ -10,5 +10,6 @@ feeds:
 packages:
   - ipq50xx
   - cooling
+  - poe
 include:
   - ucentral-ap