esp-rainmaker-cli 1.14.0__tar.gz → 1.14.1__tar.gz

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: esp-rainmaker-cli
-Version: 1.14.0
+Version: 1.14.1
 Summary: A python utility to perform host based claiming
 Home-page: https://github.com/espressif/esp-rainmaker-cli
 Author: Espressif Systems
@@ -122,6 +122,19 @@ Changelog
 
 All major changes to ESP RainMaker CLI will be documented in this file.
 
+## [1.14.1] - 05-Jun-2026
+### Bugfixes
+- Security 2 fixes across provisioning and local control:
+  - Provisioning auto-detect now reads `prov.sec_ver` from device capabilities
+    (was forcing sec1 on sec2 devices, causing firmware "Security version mismatch")
+  - `sec_patch_ver` discovered from device capabilities / `esp_local_ctrl/version`,
+    enabling the counter-in-IV scheme on ESP-IDF v5.4+ firmware
+  - `--sec2_username` option added to `--local` commands (`getnodeconfig`,
+    `getparams`, `setparams`); defaults to `wifiprov`, picks up cached
+    `local_control_username` from cloud params; `--pop` used as the SRP6a password
+  - QR code `username` / `password` fields now honoured by `provision`
+  - `Security2.serialize`/`deserialize` for local-control session resume parity with Security 1
+
 ## [1.14.0] - 24-Apr-2026
 ### Added
 - New `group sharing` subcommand for sharing device groups / Matter fabrics between users:

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/esp_rainmaker_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: esp-rainmaker-cli
-Version: 1.14.0
+Version: 1.14.1
 Summary: A python utility to perform host based claiming
 Home-page: https://github.com/espressif/esp-rainmaker-cli
 Author: Espressif Systems
@@ -122,6 +122,19 @@ Changelog
 
 All major changes to ESP RainMaker CLI will be documented in this file.
 
+## [1.14.1] - 05-Jun-2026
+### Bugfixes
+- Security 2 fixes across provisioning and local control:
+  - Provisioning auto-detect now reads `prov.sec_ver` from device capabilities
+    (was forcing sec1 on sec2 devices, causing firmware "Security version mismatch")
+  - `sec_patch_ver` discovered from device capabilities / `esp_local_ctrl/version`,
+    enabling the counter-in-IV scheme on ESP-IDF v5.4+ firmware
+  - `--sec2_username` option added to `--local` commands (`getnodeconfig`,
+    `getparams`, `setparams`); defaults to `wifiprov`, picks up cached
+    `local_control_username` from cloud params; `--pop` used as the SRP6a password
+  - QR code `username` / `password` fields now honoured by `provision`
+  - `Security2.serialize`/`deserialize` for local-control session resume parity with Security 1
+
 ## [1.14.0] - 24-Apr-2026
 ### Added
 - New `group sharing` subcommand for sharing device groups / Matter fabrics between users:

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rainmaker/rainmaker.py

@@ -285,6 +285,10 @@ def main():
                                      choices=[0, 1, 2],
                                      default=None,
                                      help='Security version for local control (default: 1)')
+    getnodeconfig_parser.add_argument('--sec2_username',
+                                     type=str,
+                                     default=None,
+                                     help='SRP6a username for Security 2 local control. Defaults to the username cached from cloud params, else \'wifiprov\'. --pop is used as the password.')
     getnodeconfig_parser.add_argument('--local-raw',
                                      action='store_true',
                                      help='Use local control via raw endpoints (get_config with fragmentation) instead of esp_local_ctrl')
@@ -355,6 +359,10 @@ def main():
                                  choices=[0, 1, 2],
                                  default=None,
                                  help='Security version for local control (default: 1)')
+    setparams_parser.add_argument('--sec2_username',
+                                 type=str,
+                                 default=None,
+                                 help='SRP6a username for Security 2 local control. Defaults to the username cached from cloud params, else \'wifiprov\'. --pop is used as the password.')
     setparams_parser.add_argument('--local-raw',
                                  action='store_true',
                                  help='Use local control via raw endpoints (get_params/set_params) instead of esp_local_ctrl')
@@ -398,6 +406,10 @@ def main():
                                  choices=[0, 1, 2],
                                  default=None,
                                  help='Security version for local control (default: 1)')
+    getparams_parser.add_argument('--sec2_username',
+                                 type=str,
+                                 default=None,
+                                 help='SRP6a username for Security 2 local control. Defaults to the username cached from cloud params, else \'wifiprov\'. --pop is used as the password.')
     getparams_parser.add_argument('--local-raw',
                                  action='store_true',
                                  help='Use local control via raw endpoints (get_params/set_params) instead of esp_local_ctrl')

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rainmaker/version.py

@@ -5,4 +5,4 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # This file contains the version information for the ESP RainMaker CLI
-VERSION = "1.14.0"
+VERSION = "1.14.1"

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_cmd/node.py

@@ -78,6 +78,9 @@ def _build_local_options_with_cache(vars_dict, node_cache=None, session_store=No
     sec_ver = raw_sec_ver if raw_sec_ver is not None else 1
     nodeid = vars_dict.get('nodeid', '')
 
+    user_sec2_username = vars_dict.get('sec2_username')  # None => not supplied
+    sec2_username = user_sec2_username
+
     if node_cache and not pop:
         capability = node_cache.get_local_control_capability(nodeid)
         if capability:
@@ -99,6 +102,9 @@ def _build_local_options_with_cache(vars_dict, node_cache=None, session_store=No
                 log.debug(f"Using cached POP for node {nodeid}")
                 if lc_info.get('sec_ver') is not None and not explicit_sec_ver:
                     sec_ver = lc_info['sec_ver']
+                if sec2_username is None and lc_info.get('username'):
+                    sec2_username = lc_info['username']
+                    log.debug(f"Using cached sec2 username for node {nodeid}")
 
         if not pop and not explicit_sec_ver:
             try:
@@ -114,15 +120,23 @@ def _build_local_options_with_cache(vars_dict, node_cache=None, session_store=No
                         pop = lc_info.get('pop', '')
                         if lc_info.get('sec_ver') is not None:
                             sec_ver = lc_info['sec_ver']
+                        if sec2_username is None and lc_info.get('username'):
+                            sec2_username = lc_info['username']
                         log.debug(f"Resolved POP from cloud for node {nodeid}")
             except Exception as e:
                 log.debug(f"Failed to auto-resolve POP from cloud: {e}")
 
+    if not sec2_username:
+        sec2_username = 'wifiprov'
+        if sec_ver == 2:
+            print(f"Using default Security 2 username '{sec2_username}'")
+
     local_options = {
         'pop': pop,
         'transport': vars_dict.get('transport', 'http'),
         'port': vars_dict.get('port', 8080),
         'sec_ver': sec_ver,
+        'sec2_username': sec2_username,
         'local_raw': vars_dict.get('local_raw', False),
         'device_name': vars_dict.get('device_name', None),
         'node_cache': node_cache,
@@ -1259,6 +1273,7 @@ def get_node_config(vars=None):
                     'transport': vars.get('transport', 'ble'),
                     'port': vars.get('port', 8080),
                     'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 1,
+                    'sec2_username': vars.get('sec2_username', 'wifiprov') or 'wifiprov',
                     'device_name': vars.get('device_name', None),
                     'timestamp': timestamp
                 }
@@ -1312,7 +1327,8 @@ def get_node_config(vars=None):
                         'pop': vars.get('pop', ''),
                         'transport': vars.get('transport', 'http'),
                         'port': vars.get('port', 8080),
-                        'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 1
+                        'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 1,
+                        'sec2_username': vars.get('sec2_username', 'wifiprov') or 'wifiprov',
                     }
 
                     node_config = run_local_control_operation(
@@ -1326,7 +1342,8 @@ def get_node_config(vars=None):
                         'pop': vars.get('pop', ''),
                         'transport': vars.get('transport', 'http'),
                         'port': vars.get('port', 8080),
-                        'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 0
+                        'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 0,
+                        'sec2_username': vars.get('sec2_username', 'wifiprov') or 'wifiprov',
                     }
 
                     log.info("Using simplified local control (security level 0)")
@@ -1567,6 +1584,7 @@ def set_params(vars=None):
                     'transport': vars.get('transport', 'http'),
                     'port': vars.get('port', 8080),
                     'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 0,
+                    'sec2_username': vars.get('sec2_username', 'wifiprov') or 'wifiprov',
                     'local_raw': vars.get('local_raw', False),
                     'device_name': vars.get('device_name', None)
                 }
@@ -1753,6 +1771,7 @@ def get_params(vars=None):
                         'transport': vars.get('transport', 'http'),
                         'port': vars.get('port', 8080),
                         'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 1,
+                        'sec2_username': vars.get('sec2_username', 'wifiprov') or 'wifiprov',
                         'local_raw': vars.get('local_raw', False),
                         'device_name': vars.get('device_name', None),
                         'timestamp': timestamp if not (proxy_report and vars.get('local_raw', False) and not timestamp_explicitly_provided) else timestamp,
@@ -1779,6 +1798,7 @@ def get_params(vars=None):
                         'transport': vars.get('transport', 'http'),
                         'port': vars.get('port', 8080),
                         'sec_ver': vars.get('sec_ver') if vars.get('sec_ver') is not None else 0,
+                        'sec2_username': vars.get('sec2_username', 'wifiprov') or 'wifiprov',
                         'local_raw': vars.get('local_raw', False),
                         'device_name': vars.get('device_name', None),
                         'timestamp': timestamp if not (proxy_report and vars.get('local_raw', False) and not timestamp_explicitly_provided) else timestamp,

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_cmd/provision.py

@@ -117,8 +117,15 @@ def provision(vars=None):
             raise ValueError("Proof of possession (pop) may be required depending on security scheme. "
                            "Use --pop, provide via --qrcode, or specify --sec_ver to skip pop requirement "
                            "(Security 0 and 2 don't require pop).")
-        sec2_username = vars.get('sec2_username', '')
-        sec2_password = vars.get('sec2_password', '')
+
+        # sec2 credentials: explicit options override QR code values.
+        # QR code fields: 'username' and 'password' (sec2 SRP6a credentials).
+        sec2_username = (vars.get('sec2_username')
+                         or qrcode_data.get('username')
+                         or '')
+        sec2_password = (vars.get('sec2_password')
+                         or qrcode_data.get('password')
+                         or '')
         ssid = vars.get('ssid')
         passphrase = vars.get('passphrase')
         no_wifi = vars.get('no_wifi', False)

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_lib/node_cache.py

@@ -56,7 +56,7 @@ def _get_cache_base_dir(profile_config=None):
 
 def extract_local_control_info(params_or_details):
     """
-    Extract local control info (POP, sec_ver, transport, port) from
+    Extract local control info (POP, sec_ver, username, transport, port) from
     node params or node details response data.
 
     Scans for a service/device named "Local Control" or similar that
@@ -74,6 +74,9 @@ def extract_local_control_info(params_or_details):
             lower_key = key.lower().replace(' ', '_').replace('-', '_')
             if lower_key in ('pop', 'proof_of_possession'):
                 info['pop'] = str(value)
+            elif lower_key in ('username', 'user_name', 'local_control_username'):
+                if value:
+                    info['username'] = str(value)
             elif lower_key == 'sec_ver':
                 try:
                     info['sec_ver'] = int(value)

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_tools/common/security/security2.py

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 # APIs for interpreting and creating protobuf packets for
 # protocomm endpoint with security type protocomm_security2
+import base64
+import hashlib
 import struct
 import sys
 import os
@@ -75,6 +77,7 @@ class Security2(Security):
 
         self.client_pop_key = None
         self.nonce = bytearray()
+        self.session_key = None
 
         Security.__init__(self, self.security2_session)
 
@@ -170,6 +173,7 @@ class Security2(Security):
 
         # Using the first 256 bits of a 512 bit key
         session_key = shared_secret[:AES_KEY_LEN]
+        self.session_key = session_key
         self._print_verbose(f'Session Key:\t0x{session_key.hex()}')
 
         # 96-bit nonce
@@ -203,3 +207,65 @@ class Security2(Security):
         plaintext = self.cipher.decrypt(self.nonce, data, None)
         self._increment_nonce()
         return plaintext
+
+    @staticmethod
+    def _creds_hash(username: str, password: str) -> str:
+        h = hashlib.sha256()
+        h.update(str_to_bytes(username or ''))
+        h.update(b'\x00')
+        h.update(str_to_bytes(password or ''))
+        return h.hexdigest()
+
+    def serialize(self) -> Any:
+        """
+        Serialize session crypto state for disk persistence.
+        Returns a dict suitable for JSON serialization.
+        """
+        if self.session_key is None or not self.nonce:
+            return None
+        return {
+            'sec_ver': 2,
+            'sec_patch_ver': self.sec_patch_ver,
+            'session_key': base64.b64encode(self.session_key).decode('ascii'),
+            'nonce': base64.b64encode(bytes(self.nonce)).decode('ascii'),
+            'creds_hash': Security2._creds_hash(self.username, self.password),
+        }
+
+    @classmethod
+    def deserialize(cls, data: dict, username: str = '', password: str = '',
+                    verbose: bool = False) -> Any:
+        """
+        Restore a Security2 object from serialized session data.
+        Recreates the AES-GCM cipher and restores the nonce counter.
+
+        :param data: dict from serialize() / session.json
+        :param username: SRP6a username (used for creds_hash validation)
+        :param password: SRP6a password (used for creds_hash validation)
+        :param verbose: verbose flag
+        :return: Security2 instance, or None on hash mismatch / malformed data
+        """
+        try:
+            session_key = base64.b64decode(data['session_key'])
+            nonce = bytearray(base64.b64decode(data['nonce']))
+            sec_patch_ver = int(data.get('sec_patch_ver', 0))
+        except (KeyError, ValueError, Exception):
+            return None
+
+        saved_hash = data.get('creds_hash', '')
+        if saved_hash:
+            if cls._creds_hash(username, password) != saved_hash:
+                return None
+
+        obj = cls.__new__(cls)
+        obj.session_state = security_state.FINISHED
+        obj.sec_patch_ver = sec_patch_ver
+        obj.username = username
+        obj.password = password
+        obj.verbose = verbose
+        obj.client_pop_key = None
+        obj.nonce = nonce
+        obj.session_key = session_key
+        obj.cipher = AESGCM(session_key)
+
+        Security.__init__(obj, obj.security2_session)
+        return obj

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_tools/rmaker_local_ctrl/integration.py

@@ -31,10 +31,14 @@ async def _probe_session(transport_obj, security_obj):
         return False
 
 
-async def _try_resume_session(nodeid, pop, transport_type, session_store):
+async def _try_resume_session(nodeid, pop, transport_type, session_store,
+                              sec2_username='wifiprov'):
     """
     Attempt to resume a saved session from disk.
     Returns (transport_obj, security_obj) on success, (None, None) on failure.
+
+    For sec_ver=2 sessions, sec2_username is used with pop (as the SRP6a password)
+    to validate the saved creds_hash.
     """
     if session_store is None:
         return None, None
@@ -102,12 +106,20 @@ async def _try_resume_session(nodeid, pop, transport_type, session_store):
             return None, None
 
     try:
-        from ..common.security.security1 import Security1
         from ..common.transport.transport_http import Transport_HTTP
 
-        security_obj = Security1.deserialize(session_data, pop=pop, verbose=False)
+        saved_sec_ver = session_data.get('sec_ver')
+        if saved_sec_ver == 2:
+            from ..common.security.security2 import Security2
+            security_obj = Security2.deserialize(
+                session_data, username=sec2_username, password=pop, verbose=False
+            )
+        else:
+            from ..common.security.security1 import Security1
+            security_obj = Security1.deserialize(session_data, pop=pop, verbose=False)
+
         if security_obj is None:
-            log.debug("Failed to deserialize security object (POP mismatch?)")
+            log.debug("Failed to deserialize security object (creds mismatch?)")
             session_store.invalidate_session(nodeid)
             return None, None
 
@@ -182,13 +194,54 @@ def _save_session_state(nodeid, transport_obj, security_obj, transport_type, sec
 
 
 def _update_session_offset(nodeid, security_obj, session_store):
-    """Update the CTR offset in the saved session after an operation."""
+    """
+    Update the crypto state (CTR offset for sec1, nonce for sec2) in the saved
+    session after an operation, so a future resume picks up where we left off.
+    """
     if session_store is None:
         return
     try:
-        session_store.update_session_offset(nodeid, security_obj.ctr_offset)
+        if hasattr(security_obj, 'ctr_offset') and not hasattr(security_obj, 'nonce'):
+            # Security1 fast-path — cheap partial update.
+            session_store.update_session_offset(nodeid, security_obj.ctr_offset)
+            return
+
+        # Security2 (or any future scheme): rewrite the serialized blob so the
+        # current nonce/counter is persisted.
+        if not hasattr(security_obj, 'serialize'):
+            return
+        data = session_store.load_session(nodeid)
+        if data is None:
+            return
+        sec_data = security_obj.serialize()
+        if sec_data is None:
+            return
+        data.update(sec_data)
+        session_store.save_session(nodeid, data)
+    except Exception as e:
+        log.debug(f"Failed to update session state: {e}")
+
+
+def _probe_sec_patch_ver(transport_obj):
+    """
+    Query esp_local_ctrl/version to discover the device's sec_patch_ver.
+    Returns the advertised integer, or 0 if the endpoint is missing/parse fails
+    (legacy firmware).
+
+    protocomm_httpd rejects POSTs with content_len <= 0, so we send "---"
+    as a dummy body — the version handler ignores it.
+    """
+    try:
+        response = transport_obj.send_data('esp_local_ctrl/version', '---')
+        if isinstance(response, bytes):
+            response = response.decode('utf-8', errors='replace')
+        info = json.loads(response)
+        local_ctrl = info.get('local_ctrl') if isinstance(info, dict) else None
+        if isinstance(local_ctrl, dict) and 'sec_patch_ver' in local_ctrl:
+            return int(local_ctrl['sec_patch_ver'])
     except Exception as e:
-        log.debug(f"Failed to update session offset: {e}")
+        log.debug(f"sec_patch_ver probe failed, defaulting to 0: {e}")
+    return 0
 
 
 async def _execute_operation(transport_obj, security_obj, operation, data):
@@ -204,11 +257,17 @@ async def _execute_operation(transport_obj, security_obj, operation, data):
         return None
 
 
-async def _fresh_establish(nodeid, pop, transport_type, sec_ver, port):
+async def _fresh_establish(nodeid, pop, transport_type, sec_ver, port,
+                           sec2_username='wifiprov', sec_patch_ver=None):
     """
     Establish a fresh transport + security session.
     Returns (transport_obj, security_obj, error_reason).
     error_reason is None on success, ERR_TRANSPORT or ERR_SECURITY on failure.
+
+    For sec_ver=2, `pop` is used as the SRP6a password. If sec_patch_ver is
+    None, the firmware is probed via esp_local_ctrl/version — newer firmware
+    advertises sec_patch_ver=1 (counter-in-IV), older firmware returns 0
+    (legacy static IV).
     """
     if ':' not in nodeid:
         if nodeid.endswith('.local'):
@@ -225,7 +284,14 @@ async def _fresh_establish(nodeid, pop, transport_type, sec_ver, port):
         log.error("Failed to establish transport")
         return None, None, ERR_TRANSPORT
 
-    security_obj = get_security(sec_ver, 0, '', '', pop, False)
+    if sec_ver == 2 and sec_patch_ver is None:
+        sec_patch_ver = _probe_sec_patch_ver(transport_obj)
+        log.debug(f"Using sec_patch_ver={sec_patch_ver} for node {nodeid}")
+    if sec_patch_ver is None:
+        sec_patch_ver = 0
+
+    security_obj = get_security(sec_ver, sec_patch_ver,
+                                sec2_username, pop, pop, False)
     if security_obj is None:
         log.error("Failed to setup security")
         return None, None, ERR_SECURITY
@@ -327,6 +393,8 @@ async def run_local_control_operation(nodeid, operation, data=None, **kwargs):
     node_cache = kwargs.get('node_cache', None)
     session_store = kwargs.get('session_store', None)
     explicit_sec_ver = kwargs.get('explicit_sec_ver', False)
+    sec2_username = kwargs.get('sec2_username', 'wifiprov') or 'wifiprov'
+    sec_patch_ver = None  # discovered lazily in _fresh_establish when needed
 
     if node_cache:
         capability = node_cache.get_local_control_capability(nodeid)
@@ -341,12 +409,14 @@ async def run_local_control_operation(nodeid, operation, data=None, **kwargs):
             transport_type = capability.get('transport', transport_type)
             if sec_ver == 0:
                 pop = ''
+        if capability and capability.get('sec_patch_ver') is not None:
+            sec_patch_ver = capability.get('sec_patch_ver')
 
     last_err = None
 
     try:
         transport_obj, security_obj = await _try_resume_session(
-            nodeid, pop, transport_type, session_store
+            nodeid, pop, transport_type, session_store, sec2_username
         )
 
         resumed = transport_obj is not None
@@ -363,11 +433,13 @@ async def run_local_control_operation(nodeid, operation, data=None, **kwargs):
                         return None
                 else:
                     transport_obj, security_obj, last_err = await _fresh_establish(
-                        nodeid, pop, transport_type, sec_ver, port
+                        nodeid, pop, transport_type, sec_ver, port,
+                        sec2_username, sec_patch_ver
                     )
             else:
                 transport_obj, security_obj, last_err = await _fresh_establish(
-                    nodeid, pop, transport_type, sec_ver, port
+                    nodeid, pop, transport_type, sec_ver, port,
+                    sec2_username, sec_patch_ver
                 )
 
             if transport_obj is None or security_obj is None:
@@ -381,14 +453,25 @@ async def run_local_control_operation(nodeid, operation, data=None, **kwargs):
 
         if result is not None:
             _update_session_offset(nodeid, security_obj, session_store)
-            if node_cache and not node_cache.get_local_control_capability(nodeid):
-                node_cache.set_local_control_capability(nodeid, {
-                    'supported': True,
-                    'sec_ver': sec_ver,
-                    'pop_required': bool(pop),
-                    'transport': transport_type,
-                    'port': port,
-                })
+            if node_cache:
+                existing = node_cache.get_local_control_capability(nodeid)
+                obj_patch_ver = getattr(security_obj, 'sec_patch_ver', None)
+                if not existing:
+                    cap = {
+                        'supported': True,
+                        'sec_ver': sec_ver,
+                        'pop_required': bool(pop),
+                        'transport': transport_type,
+                        'port': port,
+                    }
+                    if sec_ver == 2 and obj_patch_ver is not None:
+                        cap['sec_patch_ver'] = obj_patch_ver
+                    node_cache.set_local_control_capability(nodeid, cap)
+                elif (sec_ver == 2 and obj_patch_ver is not None
+                      and existing.get('sec_patch_ver') != obj_patch_ver):
+                    # Persist freshly-probed patch_ver so future connects skip the probe.
+                    existing['sec_patch_ver'] = obj_patch_ver
+                    node_cache.set_local_control_capability(nodeid, existing)
 
         if result is None and resumed:
             log.debug("Operation failed on resumed session, retrying with fresh session")
@@ -396,7 +479,8 @@ async def run_local_control_operation(nodeid, operation, data=None, **kwargs):
                 session_store.invalidate_session(nodeid)
 
             transport_obj, security_obj, last_err = await _fresh_establish(
-                nodeid, pop, transport_type, sec_ver, port
+                nodeid, pop, transport_type, sec_ver, port,
+                sec2_username, sec_patch_ver
             )
             if transport_obj is None or security_obj is None:
                 _set_error(last_err or ERR_SECURITY)

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_tools/rmaker_local_ctrl/raw_config.py

@@ -524,6 +524,7 @@ async def run_raw_data_operation(nodeid, data_type, **kwargs):
     port = kwargs.get('port', None)
     device_name = kwargs.get('device_name', None)
     timestamp = kwargs.get('timestamp', None)
+    sec2_username = kwargs.get('sec2_username', 'wifiprov') or 'wifiprov'
     endpoint_name = 'get_params' if data_type == 0 else 'get_config'
     data_name = 'params' if data_type == 0 else 'config'
 
@@ -575,8 +576,9 @@ async def run_raw_data_operation(nodeid, data_type, **kwargs):
             if actual_sec_ver is None:
                 actual_sec_ver = 1
 
-        # Setup security
-        security_obj = get_security(actual_sec_ver, sec_patch_ver, '', '', pop, False)
+        # Setup security. For sec_ver=2, pop is used as the SRP6a password.
+        security_obj = get_security(actual_sec_ver, sec_patch_ver,
+                                    sec2_username, pop, pop, False)
         if security_obj is None:
             print("Failed to setup security")
             return None

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_tools/rmaker_local_ctrl/raw_params.py

@@ -356,6 +356,7 @@ async def run_raw_params_operation(nodeid, operation, data=None, **kwargs):
     sec_ver = kwargs.get('sec_ver', 0)  # Default to 0 for raw endpoints
     port = kwargs.get('port', None)
     device_name = kwargs.get('device_name', None)
+    sec2_username = kwargs.get('sec2_username', 'wifiprov') or 'wifiprov'
 
     # Build service name
     # For BLE transport, prefer device_name if provided, otherwise fallback to nodeid
@@ -414,8 +415,10 @@ async def run_raw_params_operation(nodeid, operation, data=None, **kwargs):
             if actual_sec_ver is None:
                 actual_sec_ver = 1  # Default to Security 1
 
-        # Setup security using detected/configured version
-        security_obj = get_security(actual_sec_ver, sec_patch_ver, '', '', pop, False)
+        # Setup security using detected/configured version.
+        # For sec_ver=2, pop is used as the SRP6a password.
+        security_obj = get_security(actual_sec_ver, sec_patch_ver,
+                                    sec2_username, pop, pop, False)
         if security_obj is None:
             print("Failed to setup security")
             return None

{esp_rainmaker_cli-1.14.0 → esp_rainmaker_cli-1.14.1}/rmaker_tools/rmaker_prov/esp_rainmaker_prov.py

@@ -240,32 +240,40 @@ def provision_device(transport_mode, pop, userid, secretkey,
         print("Establishing connection to node - Failed")
         return None
 
-    # Auto-detect security version if not specified
-    if security_version is None:
-        # First check if capabilities are supported or not
-        if not esp_prov.has_capability(obj_transport):
-            print('Security capabilities could not be determined, defaulting to Security 1')
-            security_version = 1
-        else:
-            # When no_sec is present, use security 0, else security 1
-            security_version = int(not esp_prov.has_capability(obj_transport, 'no_sec'))
-        print(f'==== Auto-detected Security Scheme: {security_version} ====')
-
-    # Fetch and print device capabilities before checking pop requirements
-    # This helps users understand why pop might be required
-    # Store the response to reuse later for challenge-response check
+    # Fetch device capabilities up-front so auto-detect can read prov.sec_ver
+    # directly (no_sec / no_pop caps alone don't distinguish sec1 from sec2).
+    # The response is reused later for challenge-response checks.
     version_response = None
+    prov_info = {}
     try:
         print("Checking device capabilities...")
         version_response = esp_prov.get_version(obj_transport)
         if version_response:
             print(f"Device capabilities response: {version_response}")
+            try:
+                prov_info = json.loads(version_response).get('prov', {}) or {}
+            except (ValueError, AttributeError):
+                prov_info = {}
         else:
             print("Device capabilities response: (empty or not available)")
     except Exception as e:
         # If we can't get capabilities, continue anyway
         print(f"Could not retrieve device capabilities: {e}")
 
+    # Auto-detect security version if not specified
+    if security_version is None:
+        advertised = prov_info.get('sec_ver')
+        if isinstance(advertised, int):
+            security_version = advertised
+        elif 'no_sec' in prov_info.get('cap', []):
+            security_version = 0
+        elif prov_info:
+            security_version = 1
+        else:
+            print('Security capabilities could not be determined, defaulting to Security 1')
+            security_version = 1
+        print(f'==== Auto-detected Security Scheme: {security_version} ====')
+
     # Handle Security 1 PoP requirements
     if security_version == 1:
         if not esp_prov.has_capability(obj_transport, 'no_pop'):
@@ -280,9 +288,20 @@ def provision_device(transport_mode, pop, userid, secretkey,
     # Handle Security 2 credentials
     sec_patch_ver = 0
     if security_version == 2:
-        sec_patch_ver = esp_prov.get_sec_patch_ver(obj_transport)
+        # Prefer the sec_patch_ver already present in the cached prov_info, else probe.
+        advertised_patch = prov_info.get('sec_patch_ver') if prov_info else None
+        sec_patch_ver = int(advertised_patch) if isinstance(advertised_patch, int) \
+            else esp_prov.get_sec_patch_ver(obj_transport)
+
+        # Default username to 'wifiprov' (firmware default for the RainMaker
+        # provisioning endpoint) and treat --pop / QR pop as the SRP6a password
+        # when no explicit --sec2_password is given. Only prompt when neither
+        # pop nor sec2_password is available.
         if len(sec2_username) == 0:
-            sec2_username = input('Security Scheme 2 - SRP6a Username required: ')
+            sec2_username = 'wifiprov'
+            print(f"Using default Security 2 username '{sec2_username}'")
+        if len(sec2_password) == 0 and len(pop) > 0:
+            sec2_password = pop
         if len(sec2_password) == 0:
             sec2_password = getpass('Security Scheme 2 - SRP6a Password required: ')