WIFI-14998: wifi: ap: mitigate peer-delete WMI timeout to reduce blind period & prevent peer leaks

1. When a connected client roams to another AP, the AP is trying to delete the peer
   but for some reason the WMI command times out and while driver is waiting for
   the response, we observed that the AP doesn't respond to any frames from STA
   (probe requests, authentication etc) and once the response times out (3seconds default)
   then AP starts responding to the older requets but client has already connected to
   another AP. As the root cause for the response timing out is in the FW, we added
   a WAR to reduce the timeout to minimize this blind period, with this AP responds
   after 100ms and client connects successfully. And 100ms timeout is also reasonable
   for this internal operation.
2. In case of peer deletion timeout, the driver peer database is not cleared, so,
   if this happens often (which it is) then eventually we hit the max peers in the
   driver and all subsequent operations fail, so, in case of timeout ignore the failure
   and proceed with driver peer database cleanup.

Signed-off-by: Venkat Chimata <venkat@nearhop.com>

feeds/ipq807x_v5.4/ipq50xx/base-files/lib/upgrade/platform.sh

@@ -107,29 +107,42 @@ platform_do_upgrade() {
 
 	board=$(board_name)
 	case $board in
-	glinet,b3000|\
 	edgecore,oap101|\
 	edgecore,oap101-6e|\
 	edgecore,oap101e|\
 	edgecore,oap101e-6e|\
 	edgecore,eap104)
+		if [ "$(find_mtd_chardev rootfs)" ]; then
+			CI_UBIPART="rootfs"
+		else
+			if grep -q rootfs1 /proc/cmdline; then
+				CI_UBIPART="rootfs2"
+				CI_FWSETENV="active 2"
+			else
+				CI_UBIPART="rootfs1"
+				CI_FWSETENV="active 1"
+			fi
+		fi
+		nand_upgrade_tar "$1"
+		;;
+	glinet,b3000)
 		CI_UBIPART="rootfs1"
 		[ "$(find_mtd_chardev rootfs)" ] && CI_UBIPART="rootfs"
 		nand_upgrade_tar "$1"
 		;;
-        hfcl,ion4x_w|\
+	hfcl,ion4x_w|\
 	hfcl,ion4xi_w)
-                wp_part=$(fw_printenv primary | cut  -d = -f2)
-                echo "Current Primary is $wp_part"
-                if [[ $wp_part == 1 ]]; then
-                        CI_UBIPART="rootfs"
-                        CI_FWSETENV="primary 0"
-                else
-                        CI_UBIPART="rootfs_1"
-                        CI_FWSETENV="primary 1"
-                fi
-                nand_upgrade_tar "$1"
-                ;;
+		wp_part=$(fw_printenv primary | cut  -d = -f2)
+		echo "Current Primary is $wp_part"
+		if [[ $wp_part == 1 ]]; then
+				CI_UBIPART="rootfs"
+				CI_FWSETENV="primary 0"
+		else
+				CI_UBIPART="rootfs_1"
+				CI_FWSETENV="primary 1"
+		fi
+		nand_upgrade_tar "$1"
+		;;
 	cig,wf186w|\
 	cig,wf186h|\
 	emplus,wap385c|\

feeds/ipq807x_v5.4/mac80211/patches/pending/a-101-wifi-ap-mitigate-peer-delete-WMI-timeout-to-reduce-b.patch

@@ -0,0 +1,53 @@
+From 375d0d25e6c02991392e44956c81cbac84909f49 Mon Sep 17 00:00:00 2001
+From: Venkat Chimata <venkat@nearhop.com>
+Date: Thu, 4 Sep 2025 00:09:17 +0530
+Subject: [PATCH] wifi: ap: mitigate peer-delete WMI timeout to reduce blind
+ period & prevent peer leaks
+
+1. When a connected client roams to another AP, the AP is trying to delete the peer
+   but for some reason the WMI command times out and while driver is waiting for
+   the response, we observed that the AP doesn't respond to any frames from STA
+   (probe requests, authentication etc) and once the response times out (3seconds default)
+   then AP starts responding to the older requets but client has already connected to
+   another AP. As the root cause for the response timing out is in the FW, we added
+   a WAR to reduce the timeout to minimize this blind period, with this AP responds
+   after 100ms and client connects successfully. And 100ms timeout is also reasonable
+   for this internal operation.
+2. In case of peer deletion timeout, the driver peer database is not cleared, so,
+   if this happens often (which it is) then eventually we hit the max peers in the
+   driver and all subsequent operations fail, so, in case of timeout ignore the failure
+   and proceed with driver peer database cleanup.
+
+Signed-off-by: Venkat Chimata <venkat@nearhop.com>
+---
+ drivers/net/wireless/ath/ath11k/peer.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/peer.c b/drivers/net/wireless/ath/ath11k/peer.c
+index 1907067..aefc6ba 100644
+--- a/drivers/net/wireless/ath/ath11k/peer.c
++++ b/drivers/net/wireless/ath/ath11k/peer.c
+@@ -771,7 +771,7 @@ int ath11k_wait_for_peer_delete_done(struct ath11k *ar, u32 vdev_id,
+ 	}
+ 
+ 	time_left = wait_for_completion_timeout(&ar->peer_delete_done,
+-						3 * HZ);
++						100 * HZ / 1000);
+ 	if (time_left == 0) {
+ 		ath11k_warn(ar->ab, "Timeout in receiving peer delete response\n");
+ 		return -ETIMEDOUT;
+@@ -857,7 +857,10 @@ int ath11k_peer_delete(struct ath11k *ar, u32 vdev_id, u8 *addr)
+ 	}
+ 
+ 	ret = ath11k_wait_for_peer_delete_done(ar, vdev_id, addr);
+-	if (ret)
++	/* WAR: For the timeout case, proceed to delete the peer anyway, as FW is
++	 * still functional, without this, driver ends up hitting max peers
++	 */
++	if (ret && ret != -ETIMEDOUT)
+ 		return ret;
+ 
+ 	ATH11K_MEMORY_STATS_DEC(ar->ab, per_peer_object,
+-- 
+2.34.1
+

feeds/ipq807x_v5.4/qca-ssdk/patches/500-define-mib-loop-cnt-to-gobal.patch

@@ -0,0 +1,61 @@
+--- a/include/init/ssdk_plat.h
++++ b/include/init/ssdk_plat.h
+@@ -330,6 +330,7 @@ struct qca_phy_priv {
+ 	struct mii_bus *miibus;
+ /*qca808x_end*/
+ 	u64 *mib_counters;
++	a_uint32_t mib_loop_cnt;
+ 	/* dump buf */
+ 	a_uint8_t  buf[2048];
+ 	a_uint32_t link_polling_required;
+--- a/src/ref/ref_mib.c
++++ b/src/ref/ref_mib.c
+@@ -479,39 +479,37 @@ qca_ar8327_sw_get_port_mib(struct switch
+ #endif
+
+ int
+-_qca_ar8327_sw_capture_port_tx_counter(struct qca_phy_priv *priv, int port)
++_qca_ar8327_sw_capture_port_tx_counter(a_uint32_t dev_id, int port)
+ {
+     fal_mib_info_t  mib_Info;
+
+     memset(&mib_Info, 0, sizeof(fal_mib_info_t));
+-    fal_get_tx_mib_info(priv->device_id, port, &mib_Info);
++    fal_get_tx_mib_info(dev_id, port, &mib_Info);
+
+     return 0;
+ }
+
+ int
+-_qca_ar8327_sw_capture_port_rx_counter(struct qca_phy_priv *priv, int port)
++_qca_ar8327_sw_capture_port_rx_counter(a_uint32_t dev_id, int port)
+ {
+     fal_mib_info_t  mib_Info;
+
+     memset(&mib_Info, 0, sizeof(fal_mib_info_t));
+-    fal_get_rx_mib_info(priv->device_id, port, &mib_Info);
++    fal_get_rx_mib_info(dev_id, port, &mib_Info);
+     return 0;
+ }
+
+ void
+ qca_ar8327_sw_mib_task(struct qca_phy_priv *priv)
+ {
+-	static int loop = 0;
+-
+ 	mutex_lock(&priv->reg_mutex);
+-	if ((loop % 2) == 0)
+-		_qca_ar8327_sw_capture_port_rx_counter(priv, loop/2);
++	if ((priv->mib_loop_cnt % 2) == 0)
++		_qca_ar8327_sw_capture_port_rx_counter(priv->device_id, priv->mib_loop_cnt/2);
+ 	else
+-		_qca_ar8327_sw_capture_port_tx_counter(priv, loop/2);
++		_qca_ar8327_sw_capture_port_tx_counter(priv->device_id, priv->mib_loop_cnt/2);
+
+-	if(++loop == (2 * (priv->ports))) {
+-		loop = 0;
++	if(++priv->mib_loop_cnt == (2 * (priv->ports))) {
++		priv->mib_loop_cnt = 0;
+ 	}
+
+ 	mutex_unlock(&priv->reg_mutex);

feeds/mediatek-sdk/mediatek/files-5.4/arch/arm64/boot/dts/mediatek/mt7981-edgecore-eap111.dts

@@ -200,7 +200,7 @@
 			phy-mode = "sgmii";
 			full-duplex;
 			pause;
-			airoha,surge = <1>;
+			airoha,surge = <0>;
 			airoha,polarity = <2>;
 		};
 

feeds/mediatek-sdk/mediatek/mt7981/base-files/etc/hotplug.d/iface/99-mtk-sr-scene-cond

@@ -34,13 +34,11 @@ case "$board" in
 
         if [ -f "$phy0_file" ]; then
             check_phy0=$(cat $phy0_file)
-            echo "check_phy0 = $check_phy0"
             [ "$check_phy0" == 0 ] && echo 1 > $phy0_file
         fi
 
         if [ -f "$phy1_file" ]; then
             check_phy1=$(cat $phy1_file)
-            echo "check_phy1 = $check_phy1"
             [ "$check_phy1" == 0 ] && echo 1 > $phy1_file
         fi
 

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap7110c-341x.dts

@@ -31,6 +31,20 @@
 		stdout-path = "serial0";
 	};
 
+	reserved-memory {
+		#address-cells = <2>;
+		#size-cells = <2>;
+		ranges;
+
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+	};
+
 	soc@0 {
 		mdio:mdio@90000 {
 			pinctrl-0 = <&mdio1_pins>;

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap750e-h.dts

@@ -190,6 +190,14 @@
 		/delete-node/ wcnss@4a900000;
 		/delete-node/ q6_caldb_region@4ce00000;
 
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+
 		q6_mem_regions: q6_mem_regions@4A900000  {
 		        no-map;
 		        reg = <0x0 0x4A900000 0x0 0x5100000>;

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap750e-s.dts

@@ -190,6 +190,14 @@
 		/delete-node/ wcnss@4a900000;
 		/delete-node/ q6_caldb_region@4ce00000;
 
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+
 		q6_mem_regions: q6_mem_regions@4A900000  {
 		        no-map;
 		        reg = <0x0 0x4A900000 0x0 0x5100000>;

feeds/qca-wifi-7/ipq53xx/dts/ipq5332-sonicfi-rap750w-311a.dts

@@ -190,6 +190,14 @@
 		/delete-node/ wcnss@4a900000;
 		/delete-node/ q6_caldb_region@4ce00000;
 
+		ramoops@49c00000 {
+			compatible = "ramoops";
+			reg = <0x0 0x49c00000 0x0 0x100000>;
+			record-size = <0x20000>;
+			console-size = <0x20000>;
+			pmsg-size = <0x20000>;
+		};
+
 		q6_mem_regions: q6_mem_regions@4A900000  {
 		        no-map;
 		        reg = <0x0 0x4A900000 0x0 0x5100000>;

feeds/tip/certificates/files/usr/bin/mount_certs

@@ -45,7 +45,8 @@ sonicfi,rap7*)
 		fi
 	fi
 	;;
-udaya,a5-id2)
+udaya,a5-id2|\
+yuncore,ax820)
 	mtd=$(find_mtd_index certificates)
 	if [ "$(head -c 4 /dev/mtd$mtd)" == "hsqs" ]; then
 		mount -t squashfs /dev/mtdblock$mtd /mnt
@@ -65,7 +66,7 @@ sonicfi,rap6*)
 		cp /mnt/* /certificates
 		umount /mnt
 	fi
-	part=$(tar_part_lookup "0:BOOTCONFIG" "0:BOOTCONFIG1")
+	part=$(tar_part_lookup "devinfo" "certificates")
 	if [ -n "$part" ]; then
 		mtd=$(find_mtd_index $part)
 		[ -n "$mtd" ] && tar xf /dev/mtdblock$mtd -C /certificates

feeds/tip/certificates/files/usr/bin/store_certs

@@ -21,7 +21,8 @@ sonicfi,rap7110c-341x)
 	mmc_dev=$(echo $(find_mmc_part $part) | sed 's/^.\{5\}//')
 	dd if=/tmp/certs.tar of=/dev/$mmc_dev
 	;;
-udaya,a5-id2)
+udaya,a5-id2|\
+yuncore,ax820)
 	cd /certificates
 	tar cf /tmp/certs.tar .
 	part=$(tar_part_lookup "insta1" "insta2")
@@ -32,7 +33,7 @@ sonicfi,rap6*)
 	if [ "$(fw_printenv -n store_certs_disabled)" != "1" ]; then
 		cd /certificates
 		tar cf /tmp/certs.tar .
-		part=$(tar_part_lookup "0:BOOTCONFIG" "0:BOOTCONFIG1")
+		part=$(tar_part_lookup "devinfo" "certificates")
 		mtd=$(find_mtd_index $part)
 		block_size=$(cat /sys/class/mtd/mtd$mtd/size)
 		dd if=/tmp/certs.tar of=/tmp/certs_pad.tar bs=$block_size conv=sync

feeds/tip/cloud_discovery/files/etc/init.d/cloud_discover

@@ -22,6 +22,19 @@ start_service() {
 	[ "$valid" == "true" ] || 
 		/usr/share/ucentral/ucentral.uc /etc/ucentral/ucentral.cfg.0000000001 > /dev/null
 
+	est_client check
+	[ $? -eq 1 ] && {
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		logger The certificate used has a CN that does not match the serial of the device
+		echo The certificate used has a CN that does not match the serial of the device
+		logger ERROR
+		logger ERROR
+		logger ERROR
+		return
+	}
+
 	procd_open_instance
 	procd_set_param command "$PROG"
 	procd_set_param respawn

feeds/tip/cloud_discovery/files/usr/bin/cloud_discovery

@@ -15,9 +15,14 @@ const ONLINE = 2;
 const OFFLINE = 3;
 const ORPHAN = 4;
 
+const DISCOVER_DHCP = "DHCP";
+const DISCOVER_FLASH = "FLASH";
+const DISCOVER_LOOKUP = "OpenLAN";
+
 let ubus = libubus.connect();
 let uci = libuci.cursor();
 let state = DISCOVER;
+let discovery_method = "";
 let validate_time;
 let offline_time;
 let orphan_time;
@@ -28,7 +33,7 @@ let timeouts = {
 	'orphan': 2 * 60 * 60,
 	interval: 10000,
 	expiry_interval: 60 * 60 * 1000,
-	expiry_threshold: 3 * 24 * 60 * 60,
+	expiry_threshold: 1 * 365 * 24 * 60 * 60,
 };
 
 ulog_open(ULOG_SYSLOG | ULOG_STDIO, LOG_DAEMON, "cloud_discover");
@@ -37,6 +42,24 @@ ulog(LOG_INFO, 'Start\n');
 
 uloop.init();
 
+let cds_server = 'discovery.open-lan.org';
+
+function detect_certificate_type() {
+	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
+	let issuer = pipe.read("all");
+	pipe.close();
+
+	if (match(issuer, /OpenLAN Demo Birth CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Demo" \n');
+		cds_server = 'discovery-qa.open-lan.org';
+		timeouts.expiry_threshold = 3 * 24 * 60 * 60;
+	} else if (match(issuer, /OpenLAN Birth Issuing CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Production"\n');
+	} else {
+		ulog(LOG_INFO, 'Certificate type is "TIP"\n');
+	}
+}
+
 function readjsonfile(path) {
 	let file = fs.readfile(path);
 	if (file)
@@ -78,6 +101,14 @@ function gateway_load() {
 	return readjsonfile('/etc/ucentral/gateway.json');
 }
 
+function discovery_state_write() {
+	let discovery_state = {
+		"type": discovery_method,
+		"updated": time()
+	};
+	fs.writefile('/etc/ucentral/discovery.state.json', discovery_state);
+}
+
 function gateway_write(data) {
 	let gateway = gateway_load();
 	gateway ??= {};
@@ -91,9 +122,10 @@ function gateway_write(data) {
 		if (new[key] != gateway[key])
 			changed = true;
 	}
-	if (changed)
+	if (changed) {
 		fs.writefile('/etc/ucentral/gateway.json', new);
 		system('sync');
+	}
 	return changed;
 }
 
@@ -130,6 +162,7 @@ function set_state(set) {
 		if (prev == VALIDATING) {
 			ulog(LOG_INFO, 'Setting cloud controller to validated\n');
 			gateway_write({ valid: true });
+			discovery_state_write();
 		}
 		break;
 
@@ -164,7 +197,7 @@ function redirector_lookup() {
 	let serial = uci.get('system', '@system[-1]', 'mac');
 
 	fs.unlink(path);
-	system(`curl -k --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/operational.ca https://openlan.keys.tip.build/v1/devices/${serial} --output /tmp/ucentral.redirector`);
+	system(`curl -k --cert /etc/ucentral/operational.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/operational.ca https://${cds_server}/v1/devices/${serial} --output /tmp/ucentral.redirector`);
 	if (!fs.stat(path))
 		return;
 	let redir = readjsonfile(path);
@@ -227,15 +260,18 @@ function interval_handler() {
 		if (!time_is_valid())
 			return;
 
+		discovery_method = DISCOVER_DHCP;
 		if (discover_dhcp())
 			return;
 
 		if (system('/usr/bin/est_client enroll'))
 			return;
 
+		discovery_method = DISCOVER_FLASH;
 		if (!discover_flash())
 			return;
 
+		discovery_method = DISCOVER_LOOKUP;
 		redirector_lookup();
 		break;
 
@@ -255,6 +291,36 @@ function interval_handler() {
 	}
 }
 
+function trigger_reenroll() {
+	ulog(LOG_INFO, 'triggering reenroll\n');
+
+	if (system('/usr/bin/est_client reenroll')) {
+		ulog(LOG_INFO, 'reenroll failed\n');
+		return;
+	}
+	
+	ulog(LOG_INFO, 'reenroll succeeded\n');
+	ulog(LOG_INFO, 'stopping client\n');
+	
+	system('/etc/init.d/ucentral stop');
+	set_state(DISCOVER);
+}
+
+function expiry_handler() {
+	let stat = fs.stat('/etc/ucentral/operational.ca');
+	if (!stat)
+		return;
+
+	let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`);
+	if (!ret) {
+		ulog(LOG_INFO, 'checked certificate expiry - all ok\n');
+		return;
+	}
+
+	ulog(LOG_INFO, 'certificate will expire soon\n');
+	trigger_reenroll();
+}
+
 let ubus_methods = {
 	discover: {
 		call: function(req) {
@@ -329,28 +395,16 @@ let ubus_methods = {
 		},
 		args: {},
 	},
+	reenroll: {
+		call: function(req) {
+			trigger_reenroll();
+			return 0;
+		},
+		args: {},
+	},
 };
 
-function expiry_handler() {
-	let stat = fs.stat('/etc/ucentral/operational.ca');
-	if (!stat)
-		return;
-
-	let ret = system(`openssl x509 -checkend ${timeouts.expiry_threshold} -noout -in /certificates/operational.pem`);
-	if (!ret) {
-		ulog(LOG_INFO, 'checked certificate expiry - all ok\n');
-		return;
-	}
-
-	ulog(LOG_INFO, 'certificate will expire soon\n');
-	if (system('/usr/bin/est_client reenroll')) {
-		ulog(LOG_INFO, 'reenroll failed\n');
-		return;
-	}
-	ulog(LOG_INFO, 'reenroll succeeded\n');
-	ulog(LOG_INFO, '(re)starting client\n');
-	system('/etc/init.d/ucentral restart');
-}
+detect_certificate_type();
 
 if (gateway_available()) {
 	let status = ubus.call('ucentral', 'status');

feeds/tip/cloud_discovery/files/usr/bin/est_client

@@ -4,12 +4,28 @@
 
 import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
 import * as fs from 'fs';
+import * as libuci from 'uci';
 
 let store_operational_pem = false;
 let store_operational_ca = false;
-let est_server = 'qaest.certificates.open-lan.org:8001';
+let est_server = 'est.certificates.open-lan.org';
 let cert_prefix = 'operational';
 
+function set_est_server() {
+	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
+	let issuer = pipe.read("all");
+	pipe.close();
+
+	if (match(issuer, /OpenLAN Demo Birth CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Demo" \n');
+		est_server = 'qaest.certificates.open-lan.org:8001';
+	} else if (match(issuer, /OpenLAN Birth Issuing CA/)) {
+		ulog(LOG_INFO, 'Certificate type is "Production"\n');
+	} else {
+		ulog(LOG_INFO, 'Certificate type is "TIP"\n');
+	}
+}
+
 if (getenv('EST_SERVER'))
 	est_server = getenv('EST_SERVER');
 
@@ -78,6 +94,8 @@ function call_est_server(path, cert, target) {
 	if (generate_csr(cert))
 		return 1;
 
+	set_est_server();	
+
 	let ret = system('curl -m 10 -X POST https://' + est_server + '/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
 	if (ret) {
 		ulog(LOG_INFO, 'Failed to request operational certificate\n');
@@ -125,6 +143,9 @@ function load_operational_ca() {
 		ulog(LOG_INFO, 'Operational CA is present\n');
 		return 0;
 	}
+
+	set_est_server();	
+
 	let ret = system('curl -m 10 -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7');
 	if (!ret)
 		ret = p7_too_pem('/tmp/' + cert_prefix + '.ca.nohdr.p7', '/etc/ucentral/' + cert_prefix + '.ca');
@@ -139,11 +160,14 @@ function load_operational_ca() {
 }
 
 function fwtool() {
+	if (!fs.stat('/etc/ucentral/cert.pem'))
+		return 0;
+
 	let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
 	let issuer = pipe.read("all");
 	pipe.close();
 
-	if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth CA/)))
+	if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth/)))
 		return 0;
 
 	ulog(LOG_INFO, 'The issuer is insta\n');
@@ -163,6 +187,20 @@ function fwtool() {
 	return 0;
 }
 
+function check_cert() {
+	if (!fs.stat('/etc/ucentral/cert.pem'))
+		return 0;
+	let pipe = fs.popen("openssl x509 -in /etc/ucentral/cert.pem  -noout -subject -nameopt multiline | grep commonName | awk '{ print $3 }'");
+	let cn = pipe.read("all");
+	pipe.close();
+	if (!cn)
+		return 0;
+	cn = lc(trim(cn));
+	let uci = libuci.cursor();
+	let serial = uci.get('ucentral', 'config', 'serial');
+	return cn != serial;
+}
+
 switch(ARGV[0]) {
 case 'enroll':
 	let ret = simpleenroll();
@@ -184,4 +222,7 @@ case 'reenroll':
 
 case 'fwtool':
 	exit(fwtool());
+
+case 'check':
+	exit(check_cert());
 }

feeds/tip/cloud_discovery/files/usr/share/ucentral/cloud_discovery.uc

@@ -5,7 +5,7 @@ import * as fs from 'fs';
 
 let cmd = ARGV[0];
 let ifname = getenv("interface");
-let opt224 = getenv("opt138");
+let opt138 = getenv("opt138");
 let opt224 = getenv("opt224");
 
 if (cmd != 'bound' && cmd != 'renew')

feeds/tip/tip-defaults/files/etc/ucentral/insta.pem

@@ -4,3 +4,6 @@ MIIFajCCA1KgAwIBAgICDnowDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3BlbkxBTiBEZW1vIFJv
 -----BEGIN CERTIFICATE-----
 MIIFIDCCAwigAwIBAgICDnkwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3BlbkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAwWjAfMR0wGwYDVQQDDBRPcGVuTEFOIERlbW8gUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMjExylKdJWoJu9mOHPJ6yZFXKe1lE467G65acpS2FKIWnPVFjNCmATMpkMOIFzEFwyFdbQjzOidtiL+73zlE52lOJpXCfOcxDFqDYDJJ8//J1/gQWsBaKpSvgLiHU/0awkQg+yJYZpj8YZa4NkFe+zTjQScSfOsqPPb3rZ7DOQ2BKAhjVShKmVbtNil0iO0zm8vE8DNkktTNMREp2pzb8MbCAgfOkwlrby6T+rV3TvmjThGdFUb5lWDFxWtlF8W0SUII9qj7p5TdGpryeLsO0nZTBtS4HxZNdvmKOHfgcRHmSZIJigB2NzKLNrXF9JBW0WnUSwZJZAG2C1RTx6lADILPueuusyfR/hZ3koKi4PHnSiTwQghzia9K9QjNHq5z9R9ZoCnhBg1VyU4LKmp862L0sIp2vgnOYunEIi9aCYBaDwo+0FuVjZuXyDIatwVuA7TN5IWPHA6XLdOt1mmkeYy1Ldr4XHjdondhtOyeei1UFXmyyLm2+kmRYfTm91TqYmNzRgbRV2NHO50AmsnBknX4Rv3gishGe0+dV5yFcUwZud0z2rSCkuoai5tKrPT+6Y6NqkT9u9HFifIBXnLwEzVUqHRtW6SuWj2DClVQIXIUZtFnhY4GuTuf6DlzgnXO58oDVCZmCW4ULIpbqGeRsvBHR8Sw5JXP/1+TMUYhE8TAgMBAAGjZjBkMB8GA1UdIwQYMBaAFDzIg8eyTI3xc4A2R60f8HanhBZDMB0GA1UdDgQWBBQ8yIPHskyN8XOANketH/B2p4QWQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAgEAkHZ5KR8IOrdfMFy+iOvauvZxfQ84LL6TpB2FQKDjneJUdd7c29UJJFNW/0mp4Gc6jKZab6J8Dx/pNnbH0RqFjGjeRGtJ4Sk0G7gf9zw1S7qut5WJDcisM9l/wXC+zy/KSKKPQmbt0grWOtU7+NNPh1YU76hIrInq/u2sVZyKH8SXQ957fbJk6BX6JTKyNEn05AB6rNSrbOWo8sy2MlcJ7bBsrWYI1t6GcWFh4b36bLu7/dKJWpyFNXXIkKJsgMEDpEQae56+fSSDo0KRNtYB82fNZDIQlGK81rGJWNzAahM+3GD1tgk/3ZVugfaJhcBpoHHKNOGqZAvtirLAIDocno7AzqoeIz974Rh2Olsl2/arApYPyyfi8PMYuFe/d4h+Wie8n+jh5n48lZ2Ve4PK+j+QHD6tTZS4f0bGnPL1puMxzQloltuQWgLDeVfEgrc3snLvjOg8aDzWm/es85lP8XcyW54U4t3JmrNUC2C7v+Uafx7cL7eDeunhs+BRhtGV+IUmjub2IrpqZp3zZqn+LVRdYJIy/qHhjS5+ImckXkFojOmeWhfmEmYSuNP8Oa6cGuXp829qnbxLh9Qzi3TfXV883KLse4kL5Zl7gBA/4hz2hVMyGJ8fY+VvzbaTuOXyvKJ+rGZCTcRSeotBLnIevVMiL7SqOEwN0j4Mfbznfq8=
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFTCCAv2gAwIBAgICAxIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3BlbkxBTiBSb290IENBMCAXDTI1MDUxNDA4NDcxMFoYDzIwNTUwNTE0MDg0NzEwWjAaMRgwFgYDVQQDDA9PcGVuTEFOIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDGibJ04A55kSURTBSKgcBmLnND2I5wws1taKqqU9aaRhB7NtvMHwh2voH9b1brUiulZaZwTN/9kzd4AnXeKQ+0u5tV7Ofk0fzF2MK47n17TS30Yenqc4NuQEKdpKK/pM3VvOEppR/bqtgyLtDmbDnmFOx+zTj/+smTgouwA+Iier0P4s5OohYxn/bjOqwQbHbU79VpGBIWv6/kt55AhH7zvsqqKHkrzTxnsRBv3SBIufrjJr9PIhZBLDrqr56P6KgAi0eoutNt2ToiJbE0WfjU7GI1RSiSN5bGj1zXhjNVzQWs1H9QzRf3c9pl3+haHQZ7FZ1UqiTRewmbNrQ6I9k81au3SttUlb87MyAuDSzatkiq7CjQ8VE1J6te6ZBt2zWpUhHsR/Lg7g3eOw5dL4oZJdK5GgGu/MUajLUXifIqM13Mvg0VTzDhN69VLXLSL0gPcicsQCwJuAza1IC/VqmBGx19fAkyJhOurCXWOgisi0g1+xzPKRphUNwMPUf8vBVOM/Vc6xDIvwVGE3+eWXyhixneFlSpAI03nWWjpwWXihTBoxbfRXO3Y/ilJqrgFN+U4PJcCPA+Wo7ThH0mgX6bOTPcgXMUzT3v3FF6Bx5/PNV3kYrw2yLzribUiS6AGvVGnW4hX2Z6OQvA/aHME8KF+6y6m4pC7FkUjVaRlzWu/wIDAQABo2MwYTAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbCJjAdBgNVHQ4EFgQUlGhbqDj5OECwcmT+O5I+KdSGwiYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAB+/RUC2X6eVoPsFNMkaXO5Iib/ub0JoWhODQm8j2Mr5dpGXESSpXjfDcqDOLuJbWWoflXBLdr8BsVCBqOA9YgCX0H8Br7dUWmCScixxLW0he592/424EvdwifxcKHZLjv9CKV5Txhqnm2djc5RY/nTH5MYVrIh/If2TNO5ydDP6+vgy9GQ4en04VK7rz+PW17O8l7k9/lOmYptZmHgSDAPj/cT3PlG+McqaI5rMSHeEHlzH+PvgWjtSeEhF4FwFBXroDl4/yb4l2JB8bqAZ3vsOXSkigFcZh5MXPe+zuSSW+G8iLr4xoi0CFsP2DaHEyxgqP4B1FtE9nFPo6cvWbwqTVT7QSzqfH+jPJuQvpFXeRF5UFegNZTFT5/uFFPamihakFslEYxeJey1y+OJdLcP6ef87ruSt8amsq56OAETYpnW4JFowlEh0C+QwLGHGGY6WrOgHY/90hJmPgXBdBVg/IoOhzbvk5A+LqZDvxV2/rLNfClw8Kr3g5e8obcB6dWgMCy2z+us0H79ucnmhzQKsjpxM9T1ncHovAQfiD3jVqfHULY53avh0wIAjosoTGbe8dyx80quHe+16qWan7C9idXeAYYJXbZt5hs6hLw4I8M1LsjTg6vwsqiaHZpsmDyyQLdFjNJldG7aosfS9F+BIpuwijF+1dashL0CPsbIJ
+-----END CERTIFICATE-----

feeds/ucentral/rtty/files/rtty.init

@@ -51,7 +51,7 @@ start_rtty() {
 	procd_set_param command $BIN -h $host -I "$id" -a
 	[ -n "$port" ] && procd_append_param command -p "$port"
 	[ -n "$description" ] && procd_append_param command -d "$description"
-	[ "$ssl" = "1" ] && procd_append_param command -s -c /etc/ucentral/opertional.pem -k /etc/ucentral/key.pem
+	[ "$ssl" = "1" ] && procd_append_param command -s -c /etc/ucentral/operational.pem -k /etc/ucentral/key.pem
 	[ -n "$token" ] && procd_append_param command -t "$token"
 	[ "$verbose" = "1" ] && procd_append_param command -v
 	[ "$timeout" -eq "0" ] || procd_append_param command -e $timeout

feeds/ucentral/ucentral-client/Makefile

@@ -4,10 +4,9 @@ PKG_NAME:=ucentral-client
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-client.git
-PKG_MIRROR_HASH:=34c912efa9c0dcdbc6122296e236993484b24b3bc4de51608356304afc8df1c3
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2025-07-27
-PKG_SOURCE_VERSION:=c536f6957bd96e57301f9d540b75460119d2a69a
+PKG_SOURCE_DATE:=2025-08-11
+PKG_SOURCE_VERSION:=549e84e5fea7230c5471d6a3dbddcc7d3152f665
 
 PKG_LICENSE:=BSD-3-Clause
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>

feeds/ucentral/ucentral-schema/Makefile

@@ -4,10 +4,9 @@ PKG_NAME:=ucentral-schema
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL=https://github.com/Telecominfraproject/wlan-ucentral-schema.git
-PKG_MIRROR_HASH:=45575f1f345368d109f74dc5ae3c8648dadbebef37e2d8eadc95b4fca2fbf43f
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2025-07-30
-PKG_SOURCE_VERSION:=30c73745c104d56f58d4f457956fe7ebac6e0f86
+PKG_SOURCE_DATE:=2025-08-04
+PKG_SOURCE_VERSION:=1c6b3095cb9e398fcbfcb2bf995365066eb76b21
 PKG_MAINTAINER:=John Crispin <john@phrozen.org>
 PKG_LICENSE:=BSD-3-Clause
 

feeds/ucentral/ucentral-state/files/ucentral-state

@@ -20,6 +20,7 @@ let config;
 let offline_timer;
 let current_state;
 let online = false;
+let leds_off = false;
 
 function self_healing() {
 	let heal_wifi = false;
@@ -148,6 +149,13 @@ function online_handler() {
 
 function config_load() {
 	ulog(LOG_INFO, 'loading config\n');
+
+	uci.load('system');
+	let led_off_cfg = uci.get("system", "@system[0]", "leds_off");
+	if (led_off_cfg == 1) {
+		leds_off = true;
+	}
+
 	uci.load('state');
 	config = uci.get_all('state');
 
@@ -191,7 +199,7 @@ function led_find(alias) {
 function factory_reset_timeout() {
 	let led = led_find('led-running');
 	if (led)
-		led_write(led, 'trigger', 'default-on');
+		led_write(led, 'trigger', leds-off ? 'none' : 'default-on');
 }
 
 let blink_timer;
@@ -210,7 +218,7 @@ let state_handler = {
 	offline: function() {
 		online = false;
 		let led = led_find('led-running');
-		if (led)
+		if (!leds_off && led)
 			led_write(led, 'trigger', 'heartbeat');
 		if (config.ui.offline_trigger) {
 			if (offline_timer)
@@ -223,7 +231,7 @@ let state_handler = {
 	online: function() {
 		online = true;
 		let led = led_find('led-running');
-		if (led)
+		if (!leds_off && led)
 			led_write(led, 'trigger', 'default-on');
 		online_handler();
 		return 0;

patches/0096-base-files-boot-add-sync-after-uci-defaults.patch

@@ -0,0 +1,33 @@
+From 309a419087da906a2f3b0f39763f021e9729dd85 Mon Sep 17 00:00:00 2001
+From: Paul White <paul@shasta.cloud>
+Date: Mon, 4 Aug 2025 04:14:23 +0000
+Subject: [PATCH] base-files: boot: add sync after uci-defaults
+
+A scenario was seen where UCI config was not flushed to disk before
+an AP power-cycle after uci-defaults was completed.  Since these
+scripts are deleted after being ran once, there is no way to recover
+without a factory reset.
+
+Adding this sync operation proved to help avoid this situation from
+happening
+
+Signed-off-by: Paul White <paul@shasta.cloud>
+---
+ package/base-files/files/etc/init.d/boot | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/package/base-files/files/etc/init.d/boot b/package/base-files/files/etc/init.d/boot
+index 15756669a9..c8a803e32c 100755
+--- a/package/base-files/files/etc/init.d/boot
++++ b/package/base-files/files/etc/init.d/boot
+@@ -15,6 +15,7 @@ uci_apply_defaults() {
+ 		( . "./$(basename $file)" ) && rm -f "$file"
+ 	done
+ 	uci commit
++	sync
+ }
+ 
+ boot() {
+-- 
+2.43.0
+

patches/0097-yuncore_ax820-add-insta1-2-partitions.patch

@@ -0,0 +1,36 @@
+From 3ceb72aaffa13375c049d161702e9d9f55da38c8 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Mon, 4 Aug 2025 08:34:50 +0200
+Subject: [PATCH] yuncore_ax820: add insta1/2 partitions
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ target/linux/ramips/dts/mt7621_yuncore_ax820.dts | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/target/linux/ramips/dts/mt7621_yuncore_ax820.dts b/target/linux/ramips/dts/mt7621_yuncore_ax820.dts
+index b2f55b9be0..cc1b59340b 100644
+--- a/target/linux/ramips/dts/mt7621_yuncore_ax820.dts
++++ b/target/linux/ramips/dts/mt7621_yuncore_ax820.dts
+@@ -120,7 +120,17 @@
+ 			partition@90000 {
+ 				compatible = "denx,uimage";
+ 				label = "firmware";
+-				reg = <0x90000 0xf60000>;
++				reg = <0x90000 0xf40000>;
++			};
++
++			partition@fd0000 {
++				label = "insta1";
++				reg = <0xfd0000 0x10000>;
++			};
++
++			partition@fe0000 {
++				label = "insta2";
++				reg = <0xfe0000 0x10000>;
+ 			};
+ 
+ 			partition@ff0000 {
+-- 
+2.34.1
+

patches/0099-elfutils-fix-build-with-GCC11.patch

@@ -0,0 +1,26 @@
+From b82a8514a3f52b91ec84f703ef92740dda19d5d9 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Thu, 14 Aug 2025 10:29:29 +0200
+Subject: [PATCH] elfutils: fix build with GCC11
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ package/libs/elfutils/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/package/libs/elfutils/Makefile b/package/libs/elfutils/Makefile
+index f7364c36be..76112c89ff 100644
+--- a/package/libs/elfutils/Makefile
++++ b/package/libs/elfutils/Makefile
+@@ -87,7 +87,7 @@ TARGET_CFLAGS += \
+ 	-Wno-unused-result \
+ 	-Wno-format-nonliteral
+ 
+-ifneq ($(CONFIG_GCC_USE_VERSION_11),y)
++ifneq ($(CONFIG_GCC_VERSION_11),y)
+ TARGET_CFLAGS += \
+ 	-Wno-error=use-after-free
+ endif
+-- 
+2.34.1
+

patches/0099-wireless-regdb-fix-channel-14-in-JP.patch

@@ -0,0 +1,39 @@
+From d0a0f0304f292a40f2fcdd20b320089627b0f05f Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Thu, 7 Aug 2025 14:50:51 +0200
+Subject: [PATCH] wireless-regdb: fix channel 14 in JP
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ .../patches/200-jp-no-channel-14.patch        | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+ create mode 100644 package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch
+
+diff --git a/package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch b/package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch
+new file mode 100644
+index 0000000000..ea1411cfdd
+--- /dev/null
++++ b/package/firmware/wireless-regdb/patches/200-jp-no-channel-14.patch
+@@ -0,0 +1,19 @@
++--- a/db.txt
+++++ b/db.txt
++@@ -16,8 +16,6 @@ country 00:
++ 	(2402 - 2472 @ 40), (20)
++ 	# Channel 12 - 13.
++ 	(2457 - 2482 @ 20), (20), NO-IR, AUTO-BW
++-	# Channel 14. Only JP enables this and for 802.11b only
++-	(2474 - 2494 @ 20), (20), NO-IR, NO-OFDM
++ 	# Channel 36 - 48
++ 	(5170 - 5250 @ 80), (20), AUTO-BW
++ 	# Channel 52 - 64
++@@ -945,7 +943,6 @@ country JO: DFS-JP
++ # https://www.soumu.go.jp/main_content/000833682.pdf
++ country JP: DFS-JP
++ 	(2402 - 2482 @ 40), (20)
++-	(2474 - 2494 @ 20), (20), NO-OFDM
++ 	(4910 - 4990 @ 40), (23)
++ 	(5170 - 5250 @ 80), (20), AUTO-BW
++ 	(5250 - 5330 @ 80), (20), DFS, AUTO-BW
+-- 
+2.34.1
+