[lightning-ln882h] Restore Tuya factory MAC on first boot; fall back to TRNG

Every LN882H ships with the same factory-default MAC address (00:50:C2:5E:10:88)
written to KV flash by sysparam_integrity_check_all(). Without a fix every device
on the same network shares one MAC, causing ARP conflicts and connection failures.

Fix: lt_init_unique_mac() is called immediately after sysparam_integrity_check_all()
in lt_init_family(). It resolves the MAC in priority order:

1. sysparam KV (0x1E0000) already holds a non-sentinel MAC: return immediately.
   This is the fast path on every boot after the first, and also covers the
   LibreTiny-to-LibreTiny OTA update case since 0x1E0000 is outside the OTA
   partition and is never erased by OTA.

2. Tuya BLK_V1.0 KV store at 0x1C5000: scan for the last valid 6_sta_mac entry
   and restore it. Tuya assigns every LN882H a unique MAC at the factory and
   stores it here. This region lies within the OTA partition (0x133000-0x1DD000),
   but OTA writes are block-addressed and the current firmware (~530 KB) ends at
   ~0x1B4700 — well short of 0x1C5000 — so the Tuya KV is preserved under both
   UART flash (covers 0x000000-0x088000) and OTA (block-addressed, stops at image
   end). No partition layout changes are needed.

3. Tuya KV absent or erased (e.g. UART flash with full-chip erase option): generate
   a unique address via ln_generate_random_mac() (hardware TRNG). This mirrors the
   approach used in OpenBK7231T_App.

In all cases the result is persisted to sysparam KV so step 1 handles every
subsequent boot. The SoftAP MAC is derived by setting the locally-administered bit
on the first octet of the STA MAC.

Analysis based on binary examination of 5 unique Tuya LN882H flash dumps (4x
DS-101JL wall switches + 1x GU10 bulb). All devices, including those never
provisioned via the Tuya app, carry a unique 6_sta_mac entry at a predictable
offset within the BLK_V1.0 KV region, confirming that the MAC is factory-assigned
at manufacturing time.

Author: Bl00d-B0b

cores/lightning-ln882h/base/api/lt_init.c

@@ -1,8 +1,13 @@
 /* Copyright (c) Etienne Le Cousin 2024-02-24. */
 
+#include <hal/hal_flash.h>
 #include <libretiny.h>
 #include <sdk_private.h>
 
+// Declared in components/utils/ln_misc.h; compiled in ln882h_net.
+// Not thread-safe — safe here since lt_init_family() runs before the RTOS scheduler.
+extern int ln_generate_random_mac(uint8_t *addr);
+
 extern uint8_t uart_print_port;
 extern Serial_t m_LogSerial;
 
@@ -13,6 +18,111 @@ static void lt_init_log(void) {
 	serial_init(&m_LogSerial, LT_UART_DEFAULT_PORT, CFG_UART_BAUDRATE_LOG, NULL);
 }
 
+// Scan the Tuya BLK_V1.0 KV store for the last valid "6_sta_mac" entry.
+//
+// Background: Tuya assigns every LN882H a unique MAC at the factory and writes
+// it to a BLK_V1.0 append-log KV store at flash offset 0x1C5000 (4 blocks x 4 KB).
+// This region lies within LibreTiny's OTA partition (0x133000–0x1DD000), but OTA
+// writes only the firmware image bytes (~530 KB, ending at ~0x1B4700) so 0x1C5000
+// is never touched unless the firmware grows beyond 592 KB.  UART full-flash also
+// only covers 0x000000–0x088000 and therefore likewise preserves the Tuya KV.
+//
+// BLK_V1.0 entry layout (no null terminator between key and value):
+//   it_magic[8] | crc16[2] | val_size_u16_le[2] | prev_ptr_u32_le[4] | key[N] | value[val_size]
+//
+// The factory sentinel "6_sta_mac" #1 is always 00:50:C2:5E:10:88 (from
+// sysparam_factory_setting.h).  The real unique MAC is written as a second
+// "6_sta_mac" entry during Tuya manufacturing.  BLK_V1.0 is an append-only log,
+// so the last matching entry wins — we return that.
+//
+// Returns true and fills mac_out[6] if a valid non-sentinel MAC is found.
+static bool lt_tuya_kv_read_sta_mac(uint8_t *mac_out) {
+	static const uint8_t IT_MAGIC[8]    = "it_magic";
+	static const uint8_t STA_MAC_KEY[9] = "6_sta_mac";
+	static const uint8_t SENTINEL[6]    = {0x00, 0x50, 0xC2, 0x5E, 0x10, 0x88};
+
+	// Tuya KV: 4 blocks x 4 KB starting at FLASH_OTA_OFFSET + 0x92000
+	// (= 0x1C5000 on the standard lightning-ln882hki partition layout)
+	const uint32_t kv_base = FLASH_OTA_OFFSET + 0x92000UL;
+	const uint32_t kv_size = 0x4000UL;
+
+	// Entry buffer: it_magic(8) + header(8) + key(9) + value(6) = 31 bytes
+	uint8_t entry[31];
+	bool    found = false;
+	uint32_t off;
+
+	for (off = 0; off + sizeof(entry) <= kv_size; off++) {
+		hal_flash_read(kv_base + off, 8, entry);
+		if (memcmp(entry, IT_MAGIC, 8) != 0)
+			continue;
+
+		// Read header + key + value
+		hal_flash_read(kv_base + off + 8, 23, entry + 8);
+
+		uint16_t val_size = entry[10] | ((uint16_t)entry[11] << 8);
+		if (val_size != 6)
+			goto next;
+		if (memcmp(entry + 16, STA_MAC_KEY, 9) != 0)
+			goto next;
+
+		// entry[25..30] = 6-byte MAC value
+		if (memcmp(entry + 25, SENTINEL, 6) == 0)
+			goto next;
+		bool all_ff = true;
+		for (int i = 0; i < 6; i++)
+			if (entry[25 + i] != 0xFF) { all_ff = false; break; }
+		if (all_ff)
+			goto next;
+
+		memcpy(mac_out, entry + 25, 6);
+		found = true; // keep scanning — last entry wins in BLK_V1.0 log
+
+next:
+		off += 7; // skip past magic header, outer off++ gives total advance of 8
+	}
+	return found;
+}
+
+// Ensure the stored STA/SoftAP MACs are unique on first boot after flash.
+//
+// Priority:
+//   1. LibreTiny sysparam KV already holds a non-sentinel MAC → nothing to do.
+//      (fast path on every boot after first; also covers LibreTiny→LibreTiny OTA)
+//   2. Tuya BLK_V1.0 KV at 0x1C5000 has a valid unique MAC → restore it.
+//      (first boot after UART flash or Kickstart/cloudcutter OTA from Tuya stock)
+//   3. Tuya KV empty / erased (e.g. UART flash with full-chip erase) → TRNG.
+//
+// sysparam KV at 0x1E0000 is outside the OTA partition and is never erased by
+// OTA, so the resolved MAC is stable across all future LibreTiny OTA updates.
+static void lt_init_unique_mac(void) {
+	static const uint8_t factory_mac[6] = {0x00, 0x50, 0xC2, 0x5E, 0x10, 0x88};
+	uint8_t mac[6];
+
+	if (SYSPARAM_ERR_NONE != sysparam_sta_mac_get(mac))
+		return;
+	if (memcmp(mac, factory_mac, 6) != 0)
+		return; // step 1: already unique, nothing to do
+
+	// Step 2: try to recover Tuya-assigned factory MAC from BLK_V1.0 KV
+	if (lt_tuya_kv_read_sta_mac(mac)) {
+		LT_I("Restored Tuya factory MAC: %02X:%02X:%02X:%02X:%02X:%02X",
+		     mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
+		sysparam_sta_mac_update(mac);
+		mac[0] |= 0x02; // locally-administered bit → distinct SoftAP MAC
+		sysparam_softap_mac_update(mac);
+		return;
+	}
+
+	// Step 3: Tuya KV unavailable — generate via hardware TRNG
+	if (ln_generate_random_mac(mac) != 0)
+		return;
+	LT_I("Generated random unique MAC: %02X:%02X:%02X:%02X:%02X:%02X",
+	     mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
+	sysparam_sta_mac_update(mac);
+	mac[0] |= 0x02;
+	sysparam_softap_mac_update(mac);
+}
+
 void lt_init_family() {
 	// 0. check reboot cause
 	ln_chip_get_reboot_cause();
@@ -42,11 +152,14 @@ void lt_init_family() {
 	// init system parameter
 	sysparam_integrity_check_all();
 
+	// randomize MAC if still at factory default (first boot after flash)
+	lt_init_unique_mac();
+
 	ln_pm_sleep_mode_set(ACTIVE);
 	// ln_pm_always_clk_disable_select(CLK_G_I2S | CLK_G_WS2811 | CLK_G_SDIO);
 	/*ln_pm_always_clk_disable_select(CLK_G_I2S | CLK_G_WS2811 | CLK_G_SDIO | CLK_G_AES);
 	ln_pm_lightsleep_clk_disable_select(CLK_G_GPIOA | CLK_G_GPIOB | CLK_G_SPI0 | CLK_G_SPI1 | CLK_G_I2C0 |
-										CLK_G_UART1 | CLK_G_UART2 | CLK_G_WDT | CLK_G_TIM1 | CLK_G_TIM2 | CLK_G_MAC |
+									CLK_G_UART1 | CLK_G_UART2 | CLK_G_WDT | CLK_G_TIM1 | CLK_G_TIM2 | CLK_G_MAC |
 	CLK_G_DMA | CLK_G_RF | CLK_G_ADV_TIMER| CLK_G_TRNG);*/
 }