est_client: fix certificate issuer matching

Signed-off-by: Arif Alam <arif.alam@netexperience.com>

feeds/ipq807x_v5.4/hostapd/files/hostapd.uc

@@ -900,7 +900,10 @@ return {
 				hostapd.printf(`Sending AFC request: ${data}`);
 				writefile("/tmp/afc-request.json", data);
 
-				system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' -H \'Authorization: Bearer ${afc_server.access_token}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+				if (afc_server.access_token)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' -H \'Authorization: Bearer ${afc_server.access_token}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+				else if (afc_server.cert)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' --cert \'${afc_server.cert}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
 
 				let afc_response = (readfile("/tmp/afc-response.json"));
 				if (afc_response)

feeds/ipq807x_v5.4/ipq50xx/base-files/lib/upgrade/platform.sh

@@ -107,29 +107,42 @@ platform_do_upgrade() {
 
 	board=$(board_name)
 	case $board in
-	glinet,b3000|\
 	edgecore,oap101|\
 	edgecore,oap101-6e|\
 	edgecore,oap101e|\
 	edgecore,oap101e-6e|\
 	edgecore,eap104)
+		if [ "$(find_mtd_chardev rootfs)" ]; then
+			CI_UBIPART="rootfs"
+		else
+			if grep -q rootfs1 /proc/cmdline; then
+				CI_UBIPART="rootfs2"
+				CI_FWSETENV="active 2"
+			else
+				CI_UBIPART="rootfs1"
+				CI_FWSETENV="active 1"
+			fi
+		fi
+		nand_upgrade_tar "$1"
+		;;
+	glinet,b3000)
 		CI_UBIPART="rootfs1"
 		[ "$(find_mtd_chardev rootfs)" ] && CI_UBIPART="rootfs"
 		nand_upgrade_tar "$1"
 		;;
-        hfcl,ion4x_w|\
+	hfcl,ion4x_w|\
 	hfcl,ion4xi_w)
-                wp_part=$(fw_printenv primary | cut  -d = -f2)
-                echo "Current Primary is $wp_part"
-                if [[ $wp_part == 1 ]]; then
-                        CI_UBIPART="rootfs"
-                        CI_FWSETENV="primary 0"
-                else
-                        CI_UBIPART="rootfs_1"
-                        CI_FWSETENV="primary 1"
-                fi
-                nand_upgrade_tar "$1"
-                ;;
+		wp_part=$(fw_printenv primary | cut  -d = -f2)
+		echo "Current Primary is $wp_part"
+		if [[ $wp_part == 1 ]]; then
+				CI_UBIPART="rootfs"
+				CI_FWSETENV="primary 0"
+		else
+				CI_UBIPART="rootfs_1"
+				CI_FWSETENV="primary 1"
+		fi
+		nand_upgrade_tar "$1"
+		;;
 	cig,wf186w|\
 	cig,wf186h|\
 	emplus,wap385c|\

feeds/ipq807x_v5.4/qca-ssdk/patches/500-define-mib-loop-cnt-to-gobal.patch

@@ -0,0 +1,61 @@
+--- a/include/init/ssdk_plat.h
++++ b/include/init/ssdk_plat.h
+@@ -330,6 +330,7 @@ struct qca_phy_priv {
+ 	struct mii_bus *miibus;
+ /*qca808x_end*/
+ 	u64 *mib_counters;
++	a_uint32_t mib_loop_cnt;
+ 	/* dump buf */
+ 	a_uint8_t  buf[2048];
+ 	a_uint32_t link_polling_required;
+--- a/src/ref/ref_mib.c
++++ b/src/ref/ref_mib.c
+@@ -479,39 +479,37 @@ qca_ar8327_sw_get_port_mib(struct switch
+ #endif
+
+ int
+-_qca_ar8327_sw_capture_port_tx_counter(struct qca_phy_priv *priv, int port)
++_qca_ar8327_sw_capture_port_tx_counter(a_uint32_t dev_id, int port)
+ {
+     fal_mib_info_t  mib_Info;
+
+     memset(&mib_Info, 0, sizeof(fal_mib_info_t));
+-    fal_get_tx_mib_info(priv->device_id, port, &mib_Info);
++    fal_get_tx_mib_info(dev_id, port, &mib_Info);
+
+     return 0;
+ }
+
+ int
+-_qca_ar8327_sw_capture_port_rx_counter(struct qca_phy_priv *priv, int port)
++_qca_ar8327_sw_capture_port_rx_counter(a_uint32_t dev_id, int port)
+ {
+     fal_mib_info_t  mib_Info;
+
+     memset(&mib_Info, 0, sizeof(fal_mib_info_t));
+-    fal_get_rx_mib_info(priv->device_id, port, &mib_Info);
++    fal_get_rx_mib_info(dev_id, port, &mib_Info);
+     return 0;
+ }
+
+ void
+ qca_ar8327_sw_mib_task(struct qca_phy_priv *priv)
+ {
+-	static int loop = 0;
+-
+ 	mutex_lock(&priv->reg_mutex);
+-	if ((loop % 2) == 0)
+-		_qca_ar8327_sw_capture_port_rx_counter(priv, loop/2);
++	if ((priv->mib_loop_cnt % 2) == 0)
++		_qca_ar8327_sw_capture_port_rx_counter(priv->device_id, priv->mib_loop_cnt/2);
+ 	else
+-		_qca_ar8327_sw_capture_port_tx_counter(priv, loop/2);
++		_qca_ar8327_sw_capture_port_tx_counter(priv->device_id, priv->mib_loop_cnt/2);
+
+-	if(++loop == (2 * (priv->ports))) {
+-		loop = 0;
++	if(++priv->mib_loop_cnt == (2 * (priv->ports))) {
++		priv->mib_loop_cnt = 0;
+ 	}
+
+ 	mutex_unlock(&priv->reg_mutex);

feeds/mediatek-sdk/mediatek/files-5.4/arch/arm64/boot/dts/mediatek/mt7981-edgecore-eap111.dts

@@ -200,7 +200,7 @@
 			phy-mode = "sgmii";
 			full-duplex;
 			pause;
-			airoha,surge = <1>;
+			airoha,surge = <0>;
 			airoha,polarity = <2>;
 		};
 

feeds/mediatek-sdk/mediatek/mt7981/base-files/etc/hotplug.d/iface/99-mtk-sr-scene-cond

@@ -34,13 +34,11 @@ case "$board" in
 
         if [ -f "$phy0_file" ]; then
             check_phy0=$(cat $phy0_file)
-            echo "check_phy0 = $check_phy0"
             [ "$check_phy0" == 0 ] && echo 1 > $phy0_file
         fi
 
         if [ -f "$phy1_file" ]; then
             check_phy1=$(cat $phy1_file)
-            echo "check_phy1 = $check_phy1"
             [ "$check_phy1" == 0 ] && echo 1 > $phy1_file
         fi
 

feeds/qca-wifi-7/hostapd/files/hostapd.uc

@@ -1032,7 +1032,10 @@ return {
 				hostapd.printf(`Sending AFC request: ${data}`);
 				writefile("/tmp/afc-request.json", data);
 
-				system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' -H \'Authorization: Bearer ${afc_server.access_token}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+				if (afc_server.access_token)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' -H \'Authorization: Bearer ${afc_server.access_token}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
+				else if (afc_server.cert)
+					system(`curl -s -X POST ${afc_server.url} -H \'accept: \*\/\*\' --cert \'${afc_server.cert}\' -H \'Content-Type: application/json\' -d \'${data}\' --output /tmp/afc-response.json`);
 
 				let afc_response = (readfile("/tmp/afc-response.json"));
 				if (afc_response)

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap7110c-341x.dts

@@ -31,6 +31,20 @@
 		stdout-path = "serial0";
 	};
 
+	reserved-memory {
+		#address-cells = <2>;
+		#size-cells = <2>;
+		ranges;
+
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+	};
+
 	soc@0 {
 		mdio:mdio@90000 {
 			pinctrl-0 = <&mdio1_pins>;

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap750e-h.dts

@@ -190,6 +190,14 @@
 		/delete-node/ wcnss@4a900000;
 		/delete-node/ q6_caldb_region@4ce00000;
 
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+
 		q6_mem_regions: q6_mem_regions@4A900000  {
 		        no-map;
 		        reg = <0x0 0x4A900000 0x0 0x5100000>;

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap750e-s.dts

@@ -190,6 +190,14 @@
 		/delete-node/ wcnss@4a900000;
 		/delete-node/ q6_caldb_region@4ce00000;
 
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+
 		q6_mem_regions: q6_mem_regions@4A900000  {
 		        no-map;
 		        reg = <0x0 0x4A900000 0x0 0x5100000>;

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap750w-311a.dts

@@ -190,6 +190,14 @@
 		/delete-node/ wcnss@4a900000;
 		/delete-node/ q6_caldb_region@4ce00000;
 
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+
 		q6_mem_regions: q6_mem_regions@4A900000  {
 		        no-map;
 		        reg = <0x0 0x4A900000 0x0 0x5100000>;

feeds/tip/certificates/files/usr/bin/mount_certs

@@ -45,7 +45,8 @@ sonicfi,rap7*)
 		fi
 	fi
 	;;
-udaya,a5-id2)
+udaya,a5-id2|\
+yuncore,ax820)
 	mtd=$(find_mtd_index certificates)
 	if [ "$(head -c 4 /dev/mtd$mtd)" == "hsqs" ]; then
 		mount -t squashfs /dev/mtdblock$mtd /mnt
@@ -65,7 +66,7 @@ sonicfi,rap6*)
 		cp /mnt/* /certificates
 		umount /mnt
 	fi
-	part=$(tar_part_lookup "0:BOOTCONFIG" "0:BOOTCONFIG1")
+	part=$(tar_part_lookup "devinfo" "certificates")
 	if [ -n "$part" ]; then
 		mtd=$(find_mtd_index $part)
 		[ -n "$mtd" ] && tar xf /dev/mtdblock$mtd -C /certificates

feeds/tip/certificates/files/usr/bin/store_certs

@@ -21,7 +21,8 @@ sonicfi,rap7110c-341x)
 	mmc_dev=$(echo $(find_mmc_part $part) | sed 's/^.\{5\}//')
 	dd if=/tmp/certs.tar of=/dev/$mmc_dev
 	;;
-udaya,a5-id2)
+udaya,a5-id2|\
+yuncore,ax820)
 	cd /certificates
 	tar cf /tmp/certs.tar .
 	part=$(tar_part_lookup "insta1" "insta2")
@@ -32,7 +33,7 @@ sonicfi,rap6*)
 	if [ "$(fw_printenv -n store_certs_disabled)" != "1" ]; then
 		cd /certificates
 		tar cf /tmp/certs.tar .
-		part=$(tar_part_lookup "0:BOOTCONFIG" "0:BOOTCONFIG1")
+		part=$(tar_part_lookup "devinfo" "certificates")
 		mtd=$(find_mtd_index $part)
 		block_size=$(cat /sys/class/mtd/mtd$mtd/size)
 		dd if=/tmp/certs.tar of=/tmp/certs_pad.tar bs=$block_size conv=sync

feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover

@@ -22,6 +22,19 @@ start_service() {
 	[ "$valid" == "true" ] || 
 		/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.cfg.0000000001 > /dev/null
 
+	est_client check
+	[ $? -eq 1 ] && {
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		logger The certificate used has a CN that does not match the serial of the device
+		echo The certificate used has a CN that does not match the serial of the device
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		return
+	}
+
 	procd_open_instance
 	procd_set_param command "$PROG"
 	procd_set_param respawn

feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery

@@ -15,9 +15,14 @@ const ONLINE = 2;
 const OFFLINE = 3;
 const ORPHAN = 4;
 
+const DISCOVER_DHCP = "DHCP";
+const DISCOVER_FLASH = "FLASH";
+const DISCOVER_LOOKUP = "OpenLAN";
+
 let ubus = libubus.connect();
 let uci = libuci.cursor();
 let state = DISCOVER;
+let discovery_method = "";
 let validate_time;
 let offline_time;
 let orphan_time;
@@ -27,6 +32,8 @@ let timeouts = {
 	'validate': 120,
 	'orphan': 2 * 60 * 60,
 	interval: 10000,
+	expiry_interval: 60 * 60 * 1000,
+	expiry_threshold: 1 * 365 * 24 * 60 * 60,
 };
 
 ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "cloud_discover");
@@ -35,6 +42,24 @@ ulog(LOG_INFO, 'Start\n');
 
 uloop.init();
 
+let cds_server = 'discovery.open-lan.org';
+
+function detect_certificate_type() {
+	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
+	let issuer = pipe.read("all");
+	pipe.close();
+
+	if (match(issuer, /OpenLAN Demo Birth CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Demo" \n');
+		cds_server = 'discovery-qa.open-lan.org';
+		timeouts.expiry_threshold = 3 * 24 * 60 * 60;
+	} else if (match(issuer, /OpenLAN Birth Issuing CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Production"\n');
+	} else {
+		ulog(LOG_INFO, 'Certificate type is "TIP"\n');
+	}
+}
+
 function readjsonfile(path) {
 	let file = fs.readfile(path);
 	if (file)
@@ -76,6 +101,14 @@ function gateway_load() {
 	return readjsonfile('/etc/ucentral/gateway.json');
 }
 
+function discovery_state_write() {
+	let discovery_state = {
+		"type": discovery_method,
+		"updated": time()
+	};
+	fs.writefile('/etc/ucentral/discovery.state.json', discovery_state);
+}
+
 function gateway_write(data) {
 	let gateway = gateway_load();
 	gateway ??= {};
@@ -89,9 +122,10 @@ function gateway_write(data) {
 		if (new[key] != gateway[key])
 			changed = true;
 	}
-	if (changed)
+	if (changed) {
 		fs.writefile('/etc/ucentral/gateway.json', new);
 		system('sync');
+	}
 	return changed;
 }
 
@@ -128,6 +162,7 @@ function set_state(set) {
 		if (prev == VALIDATING) {
 			ulog(LOG_INFO, 'Setting cloud controller to validated\n');
 			gateway_write({ valid: true });
+			discovery_state_write();
 		}
 		break;
 
@@ -162,7 +197,7 @@ function redirector_lookup() {
 	let serial = uci.get('system', '@system[-1]', 'mac');
 
 	fs.unlink(path);
-	system(`curl -k --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/operational.ca https://openlan.keys.tip.build/v1/devices/${serial} --output /tmp/ucentral.redirector`);
+	system(`curl -k --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/operational.ca https://${cds_server}/v1/devices/${serial} --output /tmp/ucentral.redirector`);
 	if (!fs.stat(path))
 		return;
 	let redir = readjsonfile(path);
@@ -225,15 +260,18 @@ function interval_handler() {
 		if (!time_is_valid())
 			return;
 
+		discovery_method = DISCOVER_DHCP;
 		if (discover_dhcp())
 			return;
 
 		if (system('/usr/bin/est_client enroll'))
 			return;
 
+		discovery_method = DISCOVER_FLASH;
 		if (!discover_flash())
 			return;
 
+		discovery_method = DISCOVER_LOOKUP;
 		redirector_lookup();
 		break;
 
@@ -253,6 +291,36 @@ function interval_handler() {
 	}
 }
 
+function trigger_reenroll() {
+	ulog(LOG_INFO, 'triggering reenroll\n');
+
+	if (system('/usr/bin/est_client reenroll')) {
+		ulog(LOG_INFO, 'reenroll failed\n');
+		return;
+	}
+	
+	ulog(LOG_INFO, 'reenroll succeeded\n');
+	ulog(LOG_INFO, 'stopping client\n');
+	
+	system('/etc/init.d/ucentral stop');
+	set_state(DISCOVER);
+}
+
+function expiry_handler() {
+	let stat = fs.stat('/etc/ucentral/operational.ca');
+	if (!stat)
+		return;
+
+	let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`);
+	if (!ret) {
+		ulog(LOG_INFO, 'checked certificate expiry - all ok\n');
+		return;
+	}
+
+	ulog(LOG_INFO, 'certificate will expire soon\n');
+	trigger_reenroll();
+}
+
 let ubus_methods = {
 	discover: {
 		call: function(req) {
@@ -327,8 +395,17 @@ let ubus_methods = {
 		},
 		args: {},
 	},
+	reenroll: {
+		call: function(req) {
+			trigger_reenroll();
+			return 0;
+		},
+		args: {},
+	},
 };
 
+detect_certificate_type();
+
 if (gateway_available()) {
 	let status = ubus.call('ucentral', 'status');
 	ulog(LOG_INFO, 'cloud is known\n');
@@ -345,6 +422,7 @@ if (gateway_available()) {
 timeouts_load();
 
 interval = uloop.interval(timeouts.interval, interval_handler);
+uloop.interval(timeouts.expiry_interval, expiry_handler);
 
 ubus.publish('cloud', ubus_methods);
 

feeds/tip/cloud_discovery/files/usr/bin/est_client

@@ -4,12 +4,28 @@
 
 import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
 import * as fs from 'fs';
+import * as libuci from 'uci';
 
 let store_operational_pem = false;
 let store_operational_ca = false;
-let est_server = 'qaest.certificates.open-lan.org:8001';
+let est_server = 'est.certificates.open-lan.org';
 let cert_prefix = 'operational';
 
+function set_est_server() {
+	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
+	let issuer = pipe.read("all");
+	pipe.close();
+
+	if (match(issuer, /OpenLAN Demo Birth CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Demo" \n');
+		est_server = 'qaest.certificates.open-lan.org:8001';
+	} else if (match(issuer, /OpenLAN Birth Issuing CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Production"\n');
+	} else {
+		ulog(LOG_INFO, 'Certificate type is "TIP"\n');
+	}
+}
+
 if (getenv('EST_SERVER'))
 	est_server = getenv('EST_SERVER');
 
@@ -78,6 +94,8 @@ function call_est_server(path, cert, target) {
 	if (generate_csr(cert))
 		return 1;
 
+	set_est_server();	
+
 	let ret = system('curl -m 10 -X POST https://' + est_server + '/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
 	if (ret) {
 		ulog(LOG_INFO, 'Failed to request operational certificate\n');
@@ -125,6 +143,9 @@ function load_operational_ca() {
 		ulog(LOG_INFO, 'Operational CA is present\n');
 		return 0;
 	}
+
+	set_est_server();	
+
 	let ret = system('curl -m 10 -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7');
 	if (!ret)
 		ret = p7_too_pem('/tmp/' + cert_prefix + '.ca.nohdr.p7', '/etc/ucentral/' + cert_prefix + '.ca');
@@ -139,11 +160,14 @@ function load_operational_ca() {
 }
 
 function fwtool() {
+	if (!fs.stat('/etc/ucentral/cert.pem'))
+		return 0;
+
 	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
 	let issuer = pipe.read("all");
 	pipe.close();
 
-	if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth CA/)))
+	if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth/)))
 		return 0;
 
 	ulog(LOG_INFO, 'The issuer is insta\n');
@@ -163,6 +187,20 @@ function fwtool() {
 	return 0;
 }
 
+function check_cert() {
+	if (!fs.stat('/etc/ucentral/cert.pem'))
+		return 0;
+	let pipe = fs.popen("openssl x509 -in /etc/ucentral/cert.pem  -noout -subject -nameopt multiline | grep commonName | awk '{ print $3 }'");
+	let cn = pipe.read("all");
+	pipe.close();
+	if (!cn)
+		return 0;
+	cn = lc(trim(cn));
+	let uci = libuci.cursor();
+	let serial = uci.get('ucentral', 'config', 'serial');
+	return cn != serial;
+}
+
 switch(ARGV[0]) {
 case 'enroll':
 	let ret = simpleenroll();
@@ -184,4 +222,7 @@ case 'reenroll':
 
 case 'fwtool':
 	exit(fwtool());
+
+case 'check':
+	exit(check_cert());
 }

feeds/tip/cloud_discovery/files/usr/share/ucentral/cloud_discovery.uc

@@ -5,7 +5,7 @@ import * as fs from 'fs';
 
 let cmd = ARGV[0];
 let ifname = getenv("interface");
-let opt224 = getenv("opt138");
+let opt138 = getenv("opt138");
 let opt224 = getenv("opt224");
 
 if (cmd != 'bound' && cmd != 'renew')

feeds/tip/tip-defaults/files/etc/ucentral/insta.pem

@@ -4,3 +4,6 @@ MIIFajCCA1KgAwIBAgICDnowDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3BlbkxBTiBEZW1vIFJv
 -----BEGIN CERTIFICATE-----
 MIIFIDCCAwigAwIBAgICDnkwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3BlbkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAwWjAfMR0wGwYDVQQDDBRPcGVuTEFOIERlbW8gUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMjExylKdJWoJu9mOHPJ6yZFXKe1lE467G65acpS2FKIWnPVFjNCmATMpkMOIFzEFwyFdbQjzOidtiL+73zlE52lOJpXCfOcxDFqDYDJJ8//J1/gQWsBaKpSvgLiHU/0awkQg+yJYZpj8YZa4NkFe+zTjQScSfOsqPPb3rZ7DOQ2BKAhjVShKmVbtNil0iO0zm8vE8DNkktTNMREp2pzb8MbCAgfOkwlrby6T+rV3TvmjThGdFUb5lWDFxWtlF8W0SUII9qj7p5TdGpryeLsO0nZTBtS4HxZNdvmKOHfgcRHmSZIJigB2NzKLNrXF9JBW0WnUSwZJZAG2C1RTx6lADILPueuusyfR/hZ3koKi4PHnSiTwQghzia9K9QjNHq5z9R9ZoCnhBg1VyU4LKmp862L0sIp2vgnOYunEIi9aCYBaDwo+0FuVjZuXyDIatwVuA7TN5IWPHA6XLdOt1mmkeYy1Ldr4XHjdondhtOyeei1UFXmyyLm2+kmRYfTm91TqYmNzRgbRV2NHO50AmsnBknX4Rv3gishGe0+dV5yFcUwZud0z2rSCkuoai5tKrPT+6Y6NqkT9u9HFifIBXnLwEzVUqHRtW6SuWj2DClVQIXIUZtFnhY4GuTuf6DlzgnXO58oDVCZmCW4ULIpbqGeRsvBHR8Sw5JXP/1+TMUYhE8TAgMBAAGjZjBkMB8GA1UdIwQYMBaAFDzIg8eyTI3xc4A2R60f8HanhBZDMB0GA1UdDgQWBBQ8yIPHskyN8XOANketH/B2p4QWQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAgEAkHZ5KR8IOrdfMFy+iOvauvZxfQ84LL6TpB2FQKDjneJUdd7c29UJJFNW/0mp4Gc6jKZab6J8Dx/pNnbH0RqFjGjeRGtJ4Sk0G7gf9zw1S7qut5WJDcisM9l/wXC+zy/KSKKPQmbt0grWOtU7+NNPh1YU76hIrInq/u2sVZyKH8SXQ957fbJk6BX6JTKyNEn05AB6rNSrbOWo8sy2MlcJ7bBsrWYI1t6GcWFh4b36bLu7/dKJWpyFNXXIkKJsgMEDpEQae56+fSSDo0KRNtYB82fNZDIQlGK81rGJWNzAahM+3GD1tgk/3ZVugfaJhcBpoHHKNOGqZAvtirLAIDocno7AzqoeIz974Rh2Olsl2/arApYPyyfi8PMYuFe/d4h+Wie8n+jh5n48lZ2Ve4PK+j+QHD6tTZS4f0bGnPL1puMxzQloltuQWgLDeVfEgrc3snLvjOg8aDzWm/es85lP8XcyW54U4t3JmrNUC2C7v+Uafx7cL7eDeunhs+BRhtGV+IUmjub2IrpqZp3zZqn+LVRdYJIy/qHhjS5+ImckXkFojOmeWhfmEmYSuNP8Oa6cGuXp829qnbxLh9Qzi3TfXV883KLse4kL5Zl7gBA/4hz2hVMyGJ8fY+VvzbaTuOXyvKJ+rGZCTcRSeotBLnIevVMiL7SqOEwN0j4Mfbznfq8=
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFTCCAv2gAwIBAgICAxIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3BlbkxBTiBSb290IENBMCAXDTI1MDUxNDA4NDcxMFoYDzIwNTUwNTE0MDg0NzEwWjAaMRgwFgYDVQQDDA9PcGVuTEFOIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGibJ04A55kSURTBSKgcBmLnND2I5wws1taKqqU9aaRhB7NtvMHwh2voH9b1brUiulZaZwTN/9kzd4AnXeKQ+0u5tV7Ofk0fzF2MK47n17TS30Yenqc4NuQEKdpKK/pM3VvOEppR/bqtgyLtDmbDnmFOx+zTj/+smTgouwA+Iier0P4s5OohYxn/bjOqwQbHbU79VpGBIWv6/kt55AhH7zvsqqKHkrzTxnsRBv3SBIufrjJr9PIhZBLDrqr56P6KgAi0eoutNt2ToiJbE0WfjU7GI1RSiSN5bGj1zXhjNVzQWs1H9QzRf3c9pl3+haHQZ7FZ1UqiTRewmbNrQ6I9k81au3SttUlb87MyAuDSzatkiq7CjQ8VE1J6te6ZBt2zWpUhHsR/Lg7g3eOw5dL4oZJdK5GgGu/MUajLUXifIqM13Mvg0VTzDhN69VLXLSL0gPcicsQCwJuAza1IC/VqmBGx19fAkyJhOurCXWOgisi0g1+xzPKRphUNwMPUf8vBVOM/Vc6xDIvwVGE3+eWXyhixneFlSpAI03nWWjpwWXihTBoxbfRXO3Y/ilJqrgFN+U4PJcCPA+Wo7ThH0mgX6bOTPcgXMUzT3v3FF6Bx5/PNV3kYrw2yLzribUiS6AGvVGnW4hX2Z6OQvA/aHME8KF+6y6m4pC7FkUjVaRlzWu/wIDAQABo2MwYTAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbCJjAdBgNVHQ4EFgQUlGhbqDj5OECwcmT+O5I+KdSGwiYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAB+/RUC2X6eVoPsFNMkaXO5Iib/ub0JoWhODQm8j2Mr5dpGXESSpXjfDcqDOLuJbWWoflXBLdr8BsVCBqOA9YgCX0H8Br7dUWmCScixxLW0he592/424EvdwifxcKHZLjv9CKV5Txhqnm2djc5RY/nTH5MYVrIh/If2TNO5ydDP6+vgy9GQ4en04VK7rz+PW17O8l7k9/lOmYptZmHgSDAPj/cT3PlG+McqaI5rMSHeEHlzH+PvgWjtSeEhF4FwFBXroDl4/yb4l2JB8bqAZ3vsOXSkigFcZh5MXPe+zuSSW+G8iLr4xoi0CFsP2DaHEyxgqP4B1FtE9nFPo6cvWbwqTVT7QSzqfH+jPJuQvpFXeRF5UFegNZTFT5/uFFPamihakFslEYxeJey1y+OJdLcP6ef87ruSt8amsq56OAETYpnW4JFowlEh0C+QwLGHGGY6WrOgHY/90hJmPgXBdBVg/IoOhzbvk5A+LqZDvxV2/rLNfClw8Kr3g5e8obcB6dWgMCy2z+us0H79ucnmhzQKsjpxM9T1ncHovAQfiD3jVqfHULY53avh0wIAjosoTGbe8dyx80quHe+16qWan7C9idXeAYYJXbZt5hs6hLw4I8M1LsjTg6vwsqiaHZpsmDyyQLdFjNJldG7aosfS9F+BIpuwijF+1dashL0CPsbIJ
+-----END CERTIFICATE-----

feeds/ucentral/rrmd/files/usr/share/rrmd/policy_chanutil.uc

@@ -202,7 +202,7 @@ function get_center_channel(channel, band, bw) {
                 "225": 227
             };
         } else if (bw == 80) {
-            bw = {
+            center_channel_map = {
                 "1": 7, "5": 7, "9": 7, "13": 7,
                 "17": 23, "21": 23, "25": 23, "29": 23,
                 "33": 39, "37": 39, "41": 39, "45": 39,
@@ -236,6 +236,8 @@ function get_center_channel(channel, band, bw) {
             };
         } else if (bw == 320) {
             center_channel_map = {
+                "1": 31, "5": 31, "9": 31, "13": 31,
+                "17": 31, "21": 31, "25": 31, "29": 31,
                 "33": 63, "37": 63, "41": 63, "45": 63,
                 "49": 63, "53": 63, "57": 63, "61": 63,
                 "65": 63, "69": 63, "73": 63, "77": 63,
@@ -558,7 +560,7 @@ function random_channel_selection(iface, band, htmode, chan_list_valid) {
     ulog_info(`[%s] Selected channel list from config (default channel list shall be used in case channels haven't been selected) = %s \n`, iface, (chan_list_valid || '[]'));
 
     if (band == '2g' && bw >= 40) {
-        ulog_info(`[%s] It is highly recommended to NOT use %dMHz bandwidth for 2.4G radio \n`, iface, bw);
+        ulog_info(`[%s] It is highly recommended to NOT use %dMHz bandwidth for 2.4G radio (RRM will not work properly) \n`, iface, bw);
     } else if (band == '5g' && bw > 160) {
         ulog_info(`[%s] %dMHz bandwidth not supported for 5G radio. Please use a bandwidth of 160MHz or lower\n`, iface, bw);
     }

feeds/ucentral/rtty/files/rtty.init

@@ -51,7 +51,7 @@ start_rtty() {
 	procd_set_param command $BIN -h $host -I "$id" -a
 	[ -n "$port" ] && procd_append_param command -p "$port"
 	[ -n "$description" ] && procd_append_param command -d "$description"
-	[ "$ssl" = "1" ] && procd_append_param command -s -c /etc/ucentral/cert.pem -k /etc/ucentral/key.pem
+	[ "$ssl" = "1" ] && procd_append_param command -s -c /etc/ucentral/operational.pem -k /etc/ucentral/key.pem
 	[ -n "$token" ] && procd_append_param command -t "$token"
 	[ "$verbose" = "1" ] && procd_append_param command -v
 	[ "$timeout" -eq "0" ] || procd_append_param command -e $timeout

feeds/ucentral/ucentral-client/Makefile

@@ -4,10 +4,9 @@ PKG_NAME:=ucentral-client
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-client.git
-PKG_MIRROR_HASH:=34c912efa9c0dcdbc6122296e236993484b24b3bc4de51608356304afc8df1c3
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2025-07-27
-PKG_SOURCE_VERSION:=c536f6957bd96e57301f9d540b75460119d2a69a
+PKG_SOURCE_DATE:=2025-08-11
+PKG_SOURCE_VERSION:=549e84e5fea7230c5471d6a3dbddcc7d3152f665
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>

feeds/ucentral/ucentral-schema/Makefile

@@ -4,10 +4,9 @@ PKG_NAME:=ucentral-schema
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-schema.git
-PKG_MIRROR_HASH:=45575f1f345368d109f74dc5ae3c8648dadbebef37e2d8eadc95b4fca2fbf43f
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2025-07-30
-PKG_SOURCE_VERSION:=30c73745c104d56f58d4f457956fe7ebac6e0f86
+PKG_SOURCE_DATE:=2025-08-04
+PKG_SOURCE_VERSION:=1c6b3095cb9e398fcbfcb2bf995365066eb76b21
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause
 

feeds/ucentral/ucentral-state/files/ucentral-state

@@ -20,6 +20,7 @@ let config;
 let offline_timer;
 let current_state;
 let online = false;
+let leds_off = false;
 
 function self_healing() {
 	let heal_wifi = false;
@@ -61,7 +62,7 @@ function self_healing() {
 			heal_wifi = false;
 		}
 
-		if (time_passed_since_rrm < 120) {
+		if (time_passed_since_rrm < 180) {
 			// RRM in progress, do not restart network!
 			ulog(LOG_INFO, 'RRM with Channel utilization may still be in progress, cannot restart network \n');
 			heal_wifi = false;
@@ -148,6 +149,13 @@ function online_handler() {
 
 function config_load() {
 	ulog(LOG_INFO, 'loading config\n');
+
+	uci.load('system');
+	let led_off_cfg = uci.get("system", "@system[0]", "leds_off");
+	if (led_off_cfg == 1) {
+		leds_off = true;
+	}
+
 	uci.load('state');
 	config = uci.get_all('state');
 
@@ -191,7 +199,7 @@ function led_find(alias) {
 function factory_reset_timeout() {
 	let led = led_find('led-running');
 	if (led)
-		led_write(led, 'trigger', 'default-on');
+		led_write(led, 'trigger', leds-off ? 'none' : 'default-on');
 }
 
 let blink_timer;
@@ -210,7 +218,7 @@ let state_handler = {
 	offline: function() {
 		online = false;
 		let led = led_find('led-running');
-		if (led)
+		if (!leds_off && led)
 			led_write(led, 'trigger', 'heartbeat');
 		if (config.ui.offline_trigger) {
 			if (offline_timer)
@@ -223,7 +231,7 @@ let state_handler = {
 	online: function() {
 		online = true;
 		let led = led_find('led-running');
-		if (led)
+		if (!leds_off && led)
 			led_write(led, 'trigger', 'default-on');
 		online_handler();
 		return 0;
@@ -265,7 +273,7 @@ let ubus_methods = {
 			current_state = req.args.state;
 			blink_timeout();
 			ulog(LOG_INFO, 'set state -> ' + req.args.state + '\n');
-			
+
 			return state_handler[req.args.state](req.args);
 		},
 		args: {

patches/0096-base-files-boot-add-sync-after-uci-defaults.patch

@@ -0,0 +1,33 @@
+From 309a419087da906a2f3b0f39763f021e9729dd85 Mon Sep 17 00:00:00 2001
+From: Paul White <paul@shasta.cloud>
+Date: Mon, 4 Aug 2025 04:14:23 +0000
+Subject: [PATCH] base-files: boot: add sync after uci-defaults
+
+A scenario was seen where UCI config was not flushed to disk before
+an AP power-cycle after uci-defaults was completed.  Since these
+scripts are deleted after being ran once, there is no way to recover
+without a factory reset.
+
+Adding this sync operation proved to help avoid this situation from
+happening
+
+Signed-off-by: Paul White <paul@shasta.cloud>
+---
+ package/base-files/files/etc/init.d/boot | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/package/base-files/files/etc/init.d/boot b/package/base-files/files/etc/init.d/boot
+index 15756669a9..c8a803e32c 100755
+--- a/package/base-files/files/etc/init.d/boot
++++ b/package/base-files/files/etc/init.d/boot
+@@ -15,6 +15,7 @@ uci_apply_defaults() {
+ 		( . "./$(basename $file)" ) && rm -f "$file"
+ 	done
+ 	uci commit
++	sync
+ }
+ 
+ boot() {
+-- 
+2.43.0
+

patches/0096-uboot-envtools-add-udaya-id5.patch

@@ -0,0 +1,25 @@
+From d366477af72e725524b47f2fffe8a8c1d500060d Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Thu, 31 Jul 2025 14:45:12 +0200
+Subject: [PATCH] uboot-envtools: add udaya-id5
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ package/boot/uboot-envtools/files/ipq40xx | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/package/boot/uboot-envtools/files/ipq40xx b/package/boot/uboot-envtools/files/ipq40xx
+index 8d993fae36..78299195bd 100644
+--- a/package/boot/uboot-envtools/files/ipq40xx
++++ b/package/boot/uboot-envtools/files/ipq40xx
+@@ -42,6 +42,7 @@ luma,wrtq-329acn|\
+ netgear,wac510|\
+ openmesh,a42|\
+ openmesh,a62|\
++udaya,a5-id2|\
+ pakedge,wr-1|\
+ plasmacloud,pa1200|\
+ plasmacloud,pa2200)
+-- 
+2.34.1
+

patches/0097-yuncore_ax820-add-insta1-2-partitions.patch

@@ -0,0 +1,36 @@
+From 3ceb72aaffa13375c049d161702e9d9f55da38c8 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Mon, 4 Aug 2025 08:34:50 +0200
+Subject: [PATCH] yuncore_ax820: add insta1/2 partitions
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ target/linux/ramips/dts/mt7621_yuncore_ax820.dts | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/target/linux/ramips/dts/mt7621_yuncore_ax820.dts b/target/linux/ramips/dts/mt7621_yuncore_ax820.dts
+index b2f55b9be0..cc1b59340b 100644
+--- a/target/linux/ramips/dts/mt7621_yuncore_ax820.dts
++++ b/target/linux/ramips/dts/mt7621_yuncore_ax820.dts
+@@ -120,7 +120,17 @@
+ 			partition@90000 {
+ 				compatible = "denx,uimage";
+ 				label = "firmware";
+-				reg = <0x90000 0xf60000>;
++				reg = <0x90000 0xf40000>;
++			};
++
++			partition@fd0000 {
++				label = "insta1";
++				reg = <0xfd0000 0x10000>;
++			};
++
++			partition@fe0000 {
++				label = "insta2";
++				reg = <0xfe0000 0x10000>;
+ 			};
+ 
+ 			partition@ff0000 {
+-- 
+2.34.1
+

patches/0099-elfutils-fix-build-with-GCC11.patch

@@ -0,0 +1,26 @@
+From b82a8514a3f52b91ec84f703ef92740dda19d5d9 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Thu, 14 Aug 2025 10:29:29 +0200
+Subject: [PATCH] elfutils: fix build with GCC11
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ package/libs/elfutils/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/package/libs/elfutils/Makefile b/package/libs/elfutils/Makefile
+index f7364c36be..76112c89ff 100644
+--- a/package/libs/elfutils/Makefile
++++ b/package/libs/elfutils/Makefile
+@@ -87,7 +87,7 @@ TARGET_CFLAGS += \
+ 	-Wno-unused-result \
+ 	-Wno-format-nonliteral
+ 
+-ifneq ($(CONFIG_GCC_USE_VERSION_11),y)
++ifneq ($(CONFIG_GCC_VERSION_11),y)
+ TARGET_CFLAGS += \
+ 	-Wno-error=use-after-free
+ endif
+-- 
+2.34.1
+

patches/0099-wireless-regdb-fix-channel-14-in-JP.patch

@@ -0,0 +1,39 @@
+From d0a0f0304f292a40f2fcdd20b320089627b0f05f Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Thu, 7 Aug 2025 14:50:51 +0200
+Subject: [PATCH] wireless-regdb: fix channel 14 in JP
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ .../patches/200-jp-no-channel-14.patch        | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+ create mode 100644 package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch
+
+diff --git a/package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch b/package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch
+new file mode 100644
+index 0000000000..ea1411cfdd
+--- /dev/null
++++ b/package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch
+@@ -0,0 +1,19 @@
++--- a/db.txt
+++++ b/db.txt
++@@ -16,8 +16,6 @@ country 00:
++ 	(2402 - 2472 @ 40), (20)
++ 	# Channel 12 - 13.
++ 	(2457 - 2482 @ 20), (20), NO-IR, AUTO-BW
++-	# Channel 14. Only JP enables this and for 802.11b only
++-	(2474 - 2494 @ 20), (20), NO-IR, NO-OFDM
++ 	# Channel 36 - 48
++ 	(5170 - 5250 @ 80), (20), AUTO-BW
++ 	# Channel 52 - 64
++@@ -945,7 +943,6 @@ country JO: DFS-JP
++ # https://www.soumu.go.jp/main_content/000833682.pdf
++ country JP: DFS-JP
++ 	(2402 - 2482 @ 40), (20)
++-	(2474 - 2494 @ 20), (20), NO-OFDM
++ 	(4910 - 4990 @ 40), (23)
++ 	(5170 - 5250 @ 80), (20), AUTO-BW
++ 	(5250 - 5330 @ 80), (20), DFS, AUTO-BW
+-- 
+2.34.1
+