diff --git a/session-logs/2026-02-24-session.md b/session-logs/2026-02-24-session.md
new file mode 100644
index 0000000..54e44cb
--- /dev/null
+++ b/session-logs/2026-02-24-session.md
@@ -0,0 +1,218 @@
+# Session Log: 2026-02-24
+
+## Session Summary
+
+Two major topics covered this session:
+
+### 1. Yealink YMCS Setup & Phone Scanner Tool
+Set up Yealink Management Cloud Service (YMCS) for managing phones across ACG clients. Built a PowerShell scanner tool to discover Yealink phones on client networks and extract serial numbers for RPS/YMCS registration.
+
+### 2. Peaceful Spirit (Country Club) - UCG Ultra Speed Issues
+Diagnosed severe speed degradation on a Cox 300/30 circuit behind a Unifi Cloud Gateway Ultra. Root cause identified as ECM hardware offload engine crash-looping combined with Suricata IDS/IPS on High consuming excessive CPU.
+
+---
+
+## Topic 1: Yealink YMCS Setup
+
+### What Was Accomplished
+- Reviewed YMCS dashboard structure: Arizona Computer Guru LLC org with sites VWP and GuruHQ
+- Confirmed YMCS pass-through/relay provisioning works - YMCS redirects phones to PacketDials for SIP config
+- Two phones already online in YMCS:
+  - **ACG Test Phone**: MAC `805ec097dacf`, SIP-T46S, firmware 66.86.0.15, IP 172.16.1.58
+  - **Winter**: MAC `805e0c08fefa`, SIP-T46S, firmware 66.86.0.15, IP 172.16.1.29
+- YMCS Site Configuration (GuruHQ) already has relay config to PacketDials:
+  ```
+  auto_provision.pnp_enable=1
+  auto_provision.power_on=1
+  auto_provision.repeat.enable=1
+  auto_provision.repeat.minutes=30
+  auto_provision.server.password=********
+  auto_provision.server.url=ftp://p.packetdials.net
+  auto_provision.server.username=lrshwh
+  firmware.url=ftp://p.packetdials.net
+  static.zero_touch.enable=1
+  ```
+
+### Migration Plan (wlcomm to OIT VoIP)
+- YMCS acts as relay/pass-through to provider's provisioning server
+- When ready: change `auto_provision.server.url` in YMCS site config from PacketDials to OIT
+- Push config, phones re-provision from OIT on next check-in (every 30 min) or reboot
+- Each client in PacketDials/Whitelabel has shared device password, username always `admin`
+
+### Winter Phone SIP Details (for reference)
+- SIP Server: `computerguru.voip.packetdials.net`
+- Username: `5f54f3c8b216`
+- Password: `3eb7d67260efe017`
+- Transport: DNS NAPTR
+- Expires: 360
+- Assigned to: Winter Williams
+- E911: (520) 304-8300 - 7437 E 22...
+- Line Keys: Device (Winter), Park 1-4 (*31-*34), BLF Mike (7003), BLF Rob (7007), Speed Dial Mike-Cell (1-520-289-1912), Howard-Cell (1-520-585-1310), Rob-Cell (1-520-303-6791)
+
+### Yealink Phone Scanner Tool
+Built `tools/Scan-YealinkPhones.ps1` - PowerShell script to scan subnets for Yealink phones.
+
+**What works:**
+- Ping sweep using .NET SendPingAsync (parallel batches)
+- ARP table + Get-NetNeighbor parsing to find Yealink MACs
+- Yealink OUI prefixes: `80:5E:C0`, `80:5E:0C`, `80:5A:35`, `00:15:65`, `28:6D:97`, `24:4B:FE`
+- SSL certificate bypass for self-signed certs
+- Unsafe header parsing for Yealink's non-standard HTTP responses
+- CSV output with append capability
+
+**What doesn't work (yet):**
+- Serial number extraction from web UI - Yealink T46S firmware 66.86.0.15 uses RSA+AES encrypted login
+  - Login flow: AES-128-CBC encrypts password (with random prefix + JSESSIONID), RSA encrypts AES key/IV
+  - Implemented the crypto in PowerShell but got error -3 (authentication format mismatch)
+  - The JS crypto uses CryptoJS AES with ZeroPadding + custom RSA (pkcs1pad2)
+  - Issue likely related to session/nonce handling
+
+**Alternative approaches tried:**
+- SSDP/UPnP discovery: No response from Yealink phones
+- SNMP (community: public): No response
+- Digest auth on cgiServer.exx: 401 (auth not accepted)
+- Various API endpoints: All return login page or 403
+
+**Backup tool created:** `tools/yealink-serial-scanner.html` - Browser-based scanner that uses the phone's own JavaScript crypto. Not yet tested.
+
+**Recommended approach:** Yealink IP Discovery Tool (official tool, not publicly available - request from Yealink distributor or check YMCS Resources section)
+
+### Files Created/Modified
+- `tools/Scan-YealinkPhones.ps1` - Main scanner script
+- `tools/test-yealink.ps1` - Debug/test script (can be deleted)
+- `tools/yealink-serial-scanner.html` - Browser-based scanner (backup approach)
+
+### Credentials
+- GuruHQ Yealink phone web UI: admin / b4e765c3
+- PacketDials provisioning: username `lrshwh` (password masked in YMCS)
+- YMCS RPS example serial: `3146019091637071` (ACG Test Phone)
+
+---
+
+## Topic 2: Peaceful Spirit Country Club - UCG Ultra Speed Issues
+
+### Problem
+Cox 300/30 Mbps circuit delivering 1 Mbps download with hardware acceleration ON + auto MSS clamping. Was working at full speed a few days prior.
+
+### Equipment
+- **Gateway:** Unifi Cloud Gateway Ultra (UCG-PST-CC)
+- **Firmware:** UniFi OS 5.0.12, Network 10.1.85 (Official channel, auto-update ON)
+- **Kernel:** 5.4.213-ui-ipq5322 (aarch64)
+- **WAN:** eth4, 2500 Mbps full duplex to Cox modem
+- **VPN:** WireGuard site-to-site (wgsts1000, MTU 1420) + tun1 (Teleport)
+- **Cox IP:** 98.190.129.150 (wsip-98-190-129-150.ph.ph.cox.net)
+- **LAN:** 192.168.0.0/24
+- **Modem:** New, replaced day before session
+
+### Test Results
+| Configuration | Download | Upload |
+|--------------|----------|--------|
+| HW accel ON + Auto MSS | ~1 Mbps | 29 Mbps |
+| HW accel ON + MSS 1300 | 28 Mbps | 29 Mbps |
+| HW accel OFF + Auto MSS | 28 Mbps | 22 Mbps |
+| HW accel ON + MSS 1452 | <1 Mbps | - |
+| HW accel ON + MSS disabled | <2 Mbps | - |
+| Later (no changes) | 150 Mbps | - |
+| Later (no changes) | 271 Mbps | - |
+
+### Root Cause Analysis (via SSH)
+1. **Suricata IDS/IPS running on HIGH** - consuming 20.3% RAM (614MB), forcing all traffic through CPU
+2. **ECM hardware offload NOT loaded** - `lsmod | grep ecm` returned empty; ECM is disabled when IDS/IPS is active
+3. **ECM was crash-looping** in dmesg - repeated `ECM exit / ECM init` cycles
+4. **MSS clamping rules only apply to tun1 (VPN)**, NOT to WAN (eth4) - UI MSS setting had no effect on WAN traffic
+5. **QUIC reassembly failures** in dmesg: `[quic_sm_reassemble_func#1025]: failed to allocate reassemble cont.`
+6. **WAN link flapped** - eth4 went down/up during the session period
+
+### Key Finding
+MSS clamping in the Unifi UI was a red herring - iptables showed MSS rules only on `tun1`, not `eth4`. The real issue was Suricata on High preventing hardware offload, combined with ECM instability.
+
+### Resolution
+Speed recovered to 271 Mbps without making changes - likely ECM crash loop resolved itself. Monitoring recommended.
+
+### Recommendations
+- Consider switching IDS/IPS from High to Medium/Low for better throughput
+- Monitor for ECM crash recurrence
+- If speeds drop again, reboot UCG Ultra to reset ECM state
+- Keep SSH key in place for future diagnostics
+
+### SSH Access
+- **Host:** 192.168.0.10 (via VPN) or 98.190.129.150 (WAN)
+- **User:** root (also requires password via GUI-added key)
+- **Key:** `~/.ssh/ucg_peaceful_spirit` (ed25519)
+- **Public key:** `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBw+BK25MXpm91XBtDsSp7K0nTcKwFDLFZDx7tAO/N8 claude@claudetools`
+- **Note:** Key was added via Unifi GUI; SSH still prompts for password in addition to key
+
+### Infrastructure
+- UCG Ultra hostname: UCG-PST-CC
+- WAN interface: eth4 (NOT eth0)
+- LAN interfaces: eth0-eth3 on switch0, br0
+- VPN: wgsts1000 (WireGuard site-to-site), tun1 (Teleport)
+
+---
+
+## MSS Clamping Reference (Cox Cable)
+- Cox uses standard DOCSIS, MTU 1500, no PPPoE
+- Standard MSS: 1460 (1500 - 20 IP - 20 TCP)
+- With IPsec VPN: ~1390-1400
+- With WireGuard: 1420
+- UCG Ultra max MSS input: 1452
+
+---
+
+## Pending/Incomplete Tasks
+
+### Yealink YMCS
+- [ ] Get Yealink IP Discovery Tool from distributor (for serial number extraction)
+- [ ] Test browser-based scanner (`tools/yealink-serial-scanner.html`) as fallback
+- [ ] Onboard remaining phones across all client sites into YMCS
+- [ ] Build OIT VoIP config templates in YMCS when ready for migration
+- [ ] Clean up test files (`tools/test-yealink.ps1`)
+
+### Peaceful Spirit
+- [ ] Monitor UCG Ultra speed stability over coming days
+- [ ] If speeds drop again, consider IDS/IPS High -> Medium/Low
+- [ ] Investigate why GUI-added SSH key still requires password
+- [ ] Consider disabling auto-update on UCG to prevent firmware regressions
+
+---
+
+## Update: 2026-02-25 Follow-up
+
+### Peaceful Spirit - Continued Degradation
+
+After initial recovery to 278 Mbps (HW accel ON, auto MSS), speeds dropped back to 1 Mbps within minutes. ECM confirmed crash-looping again via SSH dmesg — cycling every ~6 minutes (init -> run -> exit -> repeat).
+
+### IDS/IPS Disabled
+- Switched IDS/IPS from High to disabled entirely
+- Speed still unstable: initial 200+ Mbps then **decays to ~70 Mbps under sustained load**
+- This speed decay pattern (burst then drop) indicates external plant issue, not gateway
+
+### Conclusion: Cox Plant Issue
+- ECM crash-looping is a SYMPTOM, not the cause
+- Gateway offload engine crashing because it's receiving corrupted/incomplete frames from modem
+- Speed decay under sustained load consistent with:
+  - Upstream noise/ingress causing CMTS power level adjustments
+  - Overheating or failing amplifier in plant
+  - Partial bonding failure (marginal channels dropping under load)
+  - T3 timeouts accumulating as modem loses sync on noisy channels
+- **Cox tech dispatched** — needs line tech with meter at the tap
+
+### Summary Provided to Cox Tech
+- 300/30 circuit delivering 70-200 Mbps (intermittent drops to <1 Mbps)
+- 50% packet loss at all packet sizes
+- New modem (replaced day prior), same issue
+- Speed starts 200+ then decays to 70 under sustained load
+- Download severely impacted, upload less affected = downstream RF/signal issue
+- Need tech to check: downstream SNR, power levels, uncorrectable codewords, T3/T4 timeouts, physical plant, RF ingress
+
+---
+
+## Files Reference
+- `tools/Scan-YealinkPhones.ps1` - Yealink phone subnet scanner
+- `tools/test-yealink.ps1` - Debug script (temporary)
+- `tools/yealink-serial-scanner.html` - Browser-based serial scanner
+- `~/.ssh/ucg_peaceful_spirit` - SSH key for Peaceful Spirit UCG Ultra
+- `C:\temp\phones.csv` - Scanner output (test data)
+- `C:\temp\yealink_common.js` - Yealink phone JS (for crypto analysis)
+- `C:\temp\yealink_login.js` - Yealink login JS
+- `C:\temp\yealink_loginform.txt` - Login form response dump
diff --git a/tools/Scan-YealinkPhones.ps1 b/tools/Scan-YealinkPhones.ps1
new file mode 100644
index 0000000..8e8892f
--- /dev/null
+++ b/tools/Scan-YealinkPhones.ps1
@@ -0,0 +1,898 @@
+<#
+.SYNOPSIS
+    Scans a subnet for Yealink phones and extracts inventory data from their web UI.
+
+.DESCRIPTION
+    Performs a fast parallel ping sweep of a given CIDR subnet, filters for Yealink
+    MAC address prefixes via the ARP table, authenticates to each phone's web UI
+    using digest auth, and extracts MAC, serial number, model, and firmware version.
+    Results are written to CSV and displayed in the console.
+
+.PARAMETER Subnet
+    Subnet to scan in CIDR notation (e.g., 192.168.1.0/24).
+
+.PARAMETER Username
+    Web UI username for the Yealink phones. Default: admin
+
+.PARAMETER Password
+    Web UI password for the Yealink phones.
+
+.PARAMETER SiteName
+    Client/site name included in each CSV row for multi-site inventory tracking.
+
+.PARAMETER OutputFile
+    Path for the output CSV file. Default: yealink_inventory.csv
+
+.PARAMETER Timeout
+    Timeout in milliseconds for network operations. Default: 1000
+
+.EXAMPLE
+    .\Scan-YealinkPhones.ps1 -Subnet "192.168.1.0/24" -Password "mypass" -SiteName "ClientHQ"
+
+.EXAMPLE
+    .\Scan-YealinkPhones.ps1 -Subnet "10.0.5.0/24" -Username "admin" -Password "p@ss" -SiteName "BranchOffice" -OutputFile "C:\inventory\phones.csv" -Timeout 2000
+
+.NOTES
+    Compatible with PowerShell 5.1 (Windows built-in). No external module dependencies.
+    Uses runspaces for parallel ping sweep. Supports Yealink digest authentication.
+#>
+
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory = $true, HelpMessage = "Subnet in CIDR notation, e.g. 192.168.1.0/24")]
+    [ValidatePattern('^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/\d{1,2}$')]
+    [string]$Subnet,
+
+    [Parameter(Mandatory = $false)]
+    [string]$Username = "admin",
+
+    [Parameter(Mandatory = $true, HelpMessage = "Web UI password for the phones")]
+    [string]$Password,
+
+    [Parameter(Mandatory = $true, HelpMessage = "Client/site name for the CSV output")]
+    [string]$SiteName,
+
+    [Parameter(Mandatory = $false)]
+    [string]$OutputFile = "yealink_inventory.csv",
+
+    [Parameter(Mandatory = $false)]
+    [ValidateRange(100, 30000)]
+    [int]$Timeout = 1000
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = "Stop"
+
+# ---------------------------------------------------------------------------
+# Yealink OUI prefixes (colon-separated, uppercase for comparison)
+# ---------------------------------------------------------------------------
+$YealinkPrefixes = @("80:5E:C0", "80:5E:0C", "80:5A:35", "00:15:65", "28:6D:97", "24:4B:FE")
+
+# ---------------------------------------------------------------------------
+# CIDR Calculation
+# ---------------------------------------------------------------------------
+function Get-SubnetAddresses {
+    <#
+    .SYNOPSIS
+        Returns all usable host IP addresses for a given CIDR subnet.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [string]$CidrSubnet
+    )
+
+    $parts = $CidrSubnet -split '/'
+    $networkAddress = [System.Net.IPAddress]::Parse($parts[0])
+    $prefixLength = [int]$parts[1]
+
+    if ($prefixLength -lt 8 -or $prefixLength -gt 30) {
+        throw "Prefix length must be between /8 and /30. Got /$prefixLength."
+    }
+
+    $networkBytes = $networkAddress.GetAddressBytes()
+    # Convert to UInt32 (big-endian)
+    $networkUInt = ([uint32]$networkBytes[0] -shl 24) -bor `
+                   ([uint32]$networkBytes[1] -shl 16) -bor `
+                   ([uint32]$networkBytes[2] -shl 8) -bor `
+                   ([uint32]$networkBytes[3])
+
+    $hostBits = 32 - $prefixLength
+    $totalAddresses = [math]::Pow(2, $hostBits)
+    $subnetMask = ([uint32]::MaxValue) -shl $hostBits -band [uint32]::MaxValue
+    $networkStart = $networkUInt -band $subnetMask
+
+    $addresses = [System.Collections.Generic.List[string]]::new()
+
+    # Skip network address (first) and broadcast address (last)
+    for ($i = 1; $i -lt ($totalAddresses - 1); $i++) {
+        $ipUInt = $networkStart + $i
+        $octet1 = ($ipUInt -shr 24) -band 0xFF
+        $octet2 = ($ipUInt -shr 16) -band 0xFF
+        $octet3 = ($ipUInt -shr 8) -band 0xFF
+        $octet4 = $ipUInt -band 0xFF
+        $addresses.Add("$octet1.$octet2.$octet3.$octet4")
+    }
+
+    return $addresses
+}
+
+# ---------------------------------------------------------------------------
+# Parallel Ping Sweep using Runspaces
+# ---------------------------------------------------------------------------
+function Invoke-PingSweep {
+    <#
+    .SYNOPSIS
+        Pings all IPs in parallel using runspaces. Returns list of responding IPs.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [System.Collections.Generic.List[string]]$IPAddresses,
+
+        [int]$TimeoutMs = 1000,
+
+        [int]$ThrottleLimit = 64
+    )
+
+    $runspacePool = [System.Management.Automation.Runspaces.RunspaceFactory]::CreateRunspacePool(1, $ThrottleLimit)
+    $runspacePool.Open()
+
+    $scriptBlock = {
+        param([string]$IP, [int]$Timeout)
+        $pinger = New-Object System.Net.NetworkInformation.Ping
+        try {
+            $result = $pinger.Send($IP, $Timeout)
+            if ($result.Status -eq [System.Net.NetworkInformation.IPStatus]::Success) {
+                return $IP
+            }
+        }
+        catch {
+            # Host unreachable or other error — skip silently
+        }
+        finally {
+            $pinger.Dispose()
+        }
+        return $null
+    }
+
+    $jobs = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+    foreach ($ip in $IPAddresses) {
+        $ps = [System.Management.Automation.PowerShell]::Create()
+        $ps.RunspacePool = $runspacePool
+        [void]$ps.AddScript($scriptBlock)
+        [void]$ps.AddArgument($ip)
+        [void]$ps.AddArgument($TimeoutMs)
+
+        $handle = $ps.BeginInvoke()
+        $jobs.Add([PSCustomObject]@{
+            PowerShell = $ps
+            Handle     = $handle
+        })
+    }
+
+    $liveHosts = [System.Collections.Generic.List[string]]::new()
+    $completed = 0
+    $total = $jobs.Count
+
+    foreach ($job in $jobs) {
+        try {
+            $result = $job.PowerShell.EndInvoke($job.Handle)
+            if ($result -and $result[0]) {
+                $liveHosts.Add($result[0])
+            }
+        }
+        catch {
+            # Silently skip failed pings
+        }
+        finally {
+            $job.PowerShell.Dispose()
+        }
+        $completed++
+        if ($completed % 50 -eq 0 -or $completed -eq $total) {
+            $pct = [math]::Round(($completed / $total) * 100)
+            Write-Host "`r  Ping progress: $completed/$total ($pct%)" -NoNewline
+        }
+    }
+    Write-Host ""
+
+    $runspacePool.Close()
+    $runspacePool.Dispose()
+
+    return $liveHosts
+}
+
+# ---------------------------------------------------------------------------
+# ARP Table MAC Lookup
+# ---------------------------------------------------------------------------
+function Get-ArpMac {
+    <#
+    .SYNOPSIS
+        Retrieves MAC address for an IP from the local ARP table.
+        Returns MAC in colon-separated uppercase format, or $null if not found.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [string]$IPAddress
+    )
+
+    try {
+        $arpOutput = & arp -a $IPAddress 2>$null
+        if (-not $arpOutput) { return $null }
+
+        foreach ($line in $arpOutput) {
+            $line = $line.Trim()
+            # Windows ARP format: "192.168.1.1     80-5e-c0-aa-bb-cc     dynamic"
+            if ($line -match '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+([\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2})') {
+                $mac = $Matches[1].ToUpper() -replace '-', ':'
+                return $mac
+            }
+        }
+    }
+    catch {
+        # ARP lookup failed — not critical
+    }
+
+    return $null
+}
+
+# ---------------------------------------------------------------------------
+# Yealink MAC Prefix Check
+# ---------------------------------------------------------------------------
+function Test-YealinkMac {
+    <#
+    .SYNOPSIS
+        Returns $true if the MAC address belongs to a known Yealink OUI prefix.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [string]$Mac
+    )
+
+    $macUpper = $Mac.ToUpper() -replace '-', ':'
+    $prefix = ($macUpper -split ':')[0..2] -join ':'
+
+    return ($YealinkPrefixes -contains $prefix)
+}
+
+# ---------------------------------------------------------------------------
+# Digest Authentication Helper
+# ---------------------------------------------------------------------------
+function Set-UnsafeHeaderParsing {
+    <#
+    .SYNOPSIS
+        Enables useUnsafeHeaderParsing to tolerate non-standard HTTP headers
+        from embedded devices like Yealink phones.
+    #>
+    $netAssembly = [System.Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection])
+    if ($netAssembly) {
+        $bindingFlags = [System.Reflection.BindingFlags]::Static -bor
+                        [System.Reflection.BindingFlags]::GetProperty -bor
+                        [System.Reflection.BindingFlags]::NonPublic
+        $settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal")
+        if ($settingsType) {
+            $instance = $settingsType.InvokeMember("Section", $bindingFlags, $null, $null, @())
+            if ($instance) {
+                $useUnsafeField = $settingsType.GetField("useUnsafeHeaderParsing",
+                    [System.Reflection.BindingFlags]::NonPublic -bor [System.Reflection.BindingFlags]::Instance)
+                if ($useUnsafeField) {
+                    $useUnsafeField.SetValue($instance, $true)
+                }
+            }
+        }
+    }
+}
+
+function Invoke-DigestAuthRequest {
+    <#
+    .SYNOPSIS
+        Performs an HTTP GET with digest authentication.
+        Compatible with PowerShell 5.1.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [string]$Uri,
+
+        [Parameter(Mandatory)]
+        [string]$User,
+
+        [Parameter(Mandatory)]
+        [string]$Pass,
+
+        [int]$TimeoutMs = 5000
+    )
+
+    # Enable lenient header parsing for Yealink's non-standard HTTP responses
+    Set-UnsafeHeaderParsing
+
+    # Ignore SSL certificate errors (phones use self-signed certs)
+    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
+    # Ensure TLS 1.2 support
+    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls -bor [System.Net.SecurityProtocolType]::Ssl3
+
+    $credential = New-Object System.Net.NetworkCredential($User, $Pass)
+    $credCache = New-Object System.Net.CredentialCache
+    $credCache.Add([Uri]$Uri, "Digest", $credential)
+    # Also add Basic in case some models use it
+    $credCache.Add([Uri]$Uri, "Basic", $credential)
+
+    $request = [System.Net.HttpWebRequest]::Create($Uri)
+    $request.Credentials = $credCache
+    $request.PreAuthenticate = $false
+    $request.Timeout = $TimeoutMs
+    $request.ReadWriteTimeout = $TimeoutMs
+    $request.Method = "GET"
+    $request.UserAgent = "Mozilla/5.0 (YealinkScanner)"
+
+    try {
+        $response = $request.GetResponse()
+        $stream = $response.GetResponseStream()
+        $reader = New-Object System.IO.StreamReader($stream)
+        $body = $reader.ReadToEnd()
+        $reader.Close()
+        $stream.Close()
+        $response.Close()
+        return $body
+    }
+    catch [System.Net.WebException] {
+        $ex = $_.Exception
+        if ($ex.Response) {
+            $statusCode = [int]$ex.Response.StatusCode
+            if ($statusCode -eq 401) {
+                throw "Authentication failed (HTTP 401)"
+            }
+            throw "HTTP error $statusCode"
+        }
+        throw "Connection failed: $($ex.Message)"
+    }
+}
+
+# ---------------------------------------------------------------------------
+# Yealink Data Extraction
+# ---------------------------------------------------------------------------
+function Get-YealinkPhoneData {
+    <#
+    .SYNOPSIS
+        Queries a Yealink phone's web UI and extracts inventory data.
+        Tries the structured data endpoint first, then falls back to the HTML status page.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [string]$IPAddress,
+
+        [Parameter(Mandatory)]
+        [string]$User,
+
+        [Parameter(Mandatory)]
+        [string]$Pass,
+
+        [int]$TimeoutMs = 5000
+    )
+
+    $phoneData = [PSCustomObject]@{
+        MAC             = ""
+        Serial          = ""
+        Model           = ""
+        FirmwareVersion = ""
+        IP              = $IPAddress
+        Success         = $false
+        Error           = ""
+    }
+
+    # Enable lenient header parsing and SSL bypass
+    Set-UnsafeHeaderParsing
+    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
+    [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls -bor [System.Net.SecurityProtocolType]::Ssl3
+
+    $body = $null
+    $protocols = @("https", "http")
+
+    # Disable Expect: 100-continue globally (Yealink returns 417 otherwise)
+    [System.Net.ServicePointManager]::Expect100Continue = $false
+
+    foreach ($proto in $protocols) {
+        $baseUrl = "${proto}://$IPAddress"
+
+        # --- Method 1: Cookie-based login (T4x/T5x with newer firmware) ---
+        try {
+            $cookieContainer = New-Object System.Net.CookieContainer
+
+            # Step 1: POST login
+            $loginUrl = "$baseUrl/servlet?m=mod_listener&p=login&q=login&Ession=0"
+            $loginRequest = [System.Net.HttpWebRequest]::Create($loginUrl)
+            $loginRequest.Method = "POST"
+            $loginRequest.ContentType = "application/x-www-form-urlencoded"
+            $loginRequest.ServicePoint.Expect100Continue = $false
+            $loginRequest.CookieContainer = $cookieContainer
+            $loginRequest.Timeout = $TimeoutMs
+            $loginRequest.ReadWriteTimeout = $TimeoutMs
+            $loginRequest.UserAgent = "Mozilla/5.0 (YealinkScanner)"
+            $loginRequest.AllowAutoRedirect = $true
+
+            $loginBody = "username=$User&pwd=$Pass"
+            $loginBytes = [System.Text.Encoding]::UTF8.GetBytes($loginBody)
+            $loginRequest.ContentLength = $loginBytes.Length
+            $reqStream = $loginRequest.GetRequestStream()
+            $reqStream.Write($loginBytes, 0, $loginBytes.Length)
+            $reqStream.Close()
+
+            $loginResponse = $loginRequest.GetResponse()
+            $loginReader = New-Object System.IO.StreamReader($loginResponse.GetResponseStream())
+            $loginResult = $loginReader.ReadToEnd()
+            $loginReader.Close()
+            $loginResponse.Close()
+
+            # Step 2: Fetch status page with session cookie
+            $statusUrl = "$baseUrl/servlet?m=mod_data&p=status-status&q=load"
+            $statusRequest = [System.Net.HttpWebRequest]::Create($statusUrl)
+            $statusRequest.Method = "GET"
+            $statusRequest.CookieContainer = $cookieContainer
+            $statusRequest.Timeout = $TimeoutMs
+            $statusRequest.ReadWriteTimeout = $TimeoutMs
+            $statusRequest.UserAgent = "Mozilla/5.0 (YealinkScanner)"
+
+            $statusResponse = $statusRequest.GetResponse()
+            $statusReader = New-Object System.IO.StreamReader($statusResponse.GetResponseStream())
+            $body = $statusReader.ReadToEnd()
+            $statusReader.Close()
+            $statusResponse.Close()
+
+            # Check if we got actual data (not a login page)
+            if ($body -and $body.Length -gt 10 -and $body -notmatch 'authstatus.*none' -and $body -notmatch 'CheckLogin') {
+                break
+            }
+
+            # Try alternate status endpoint
+            $statusUrl2 = "$baseUrl/servlet?p=status-status"
+            $statusRequest2 = [System.Net.HttpWebRequest]::Create($statusUrl2)
+            $statusRequest2.Method = "GET"
+            $statusRequest2.CookieContainer = $cookieContainer
+            $statusRequest2.Timeout = $TimeoutMs
+            $statusRequest2.ReadWriteTimeout = $TimeoutMs
+            $statusRequest2.UserAgent = "Mozilla/5.0 (YealinkScanner)"
+
+            $statusResponse2 = $statusRequest2.GetResponse()
+            $statusReader2 = New-Object System.IO.StreamReader($statusResponse2.GetResponseStream())
+            $body = $statusReader2.ReadToEnd()
+            $statusReader2.Close()
+            $statusResponse2.Close()
+
+            if ($body -and $body.Length -gt 10 -and $body -notmatch 'authstatus.*none' -and $body -notmatch 'CheckLogin') {
+                break
+            }
+            $body = $null
+        }
+        catch {
+            $phoneData.Error = $_.Exception.Message
+            $body = $null
+            continue
+        }
+
+        # --- Method 2: Digest auth fallback (older firmware) ---
+        $endpoints = @(
+            "$baseUrl/servlet?m=mod_data&p=status-status&q=load",
+            "$baseUrl/servlet?p=status-status"
+        )
+        foreach ($endpoint in $endpoints) {
+            try {
+                $body = Invoke-DigestAuthRequest -Uri $endpoint -User $User -Pass $Pass -TimeoutMs $TimeoutMs
+                if ($body -and $body.Length -gt 10 -and $body -notmatch 'authstatus.*none' -and $body -notmatch 'CheckLogin') {
+                    break
+                }
+                $body = $null
+            }
+            catch {
+                $phoneData.Error = $_.Exception.Message
+                $body = $null
+                continue
+            }
+        }
+        if ($body) { break }
+    }
+
+    if (-not $body) {
+        if (-not $phoneData.Error) {
+            $phoneData.Error = "No valid response from any status endpoint"
+        }
+        return $phoneData
+    }
+
+    # DEBUG: dump raw response to temp file for inspection
+    $debugFile = Join-Path $env:TEMP "yealink_debug_$($IPAddress -replace '\.','_').txt"
+    $body | Out-File -FilePath $debugFile -Encoding UTF8 -Force
+    Write-Host "    DEBUG: Raw response saved to $debugFile" -ForegroundColor DarkGray
+
+    # --- Parse structured JSON response (mod_data endpoint) ---
+    try {
+        # Attempt JSON parse first (mod_data endpoint returns JSON on many models)
+        $jsonData = $body | ConvertFrom-Json -ErrorAction Stop
+
+        # Different models use different JSON field names.
+        # Common patterns observed across T2x/T4x/T5x series:
+        $macFields = @("MacAddress", "MAC", "mac", "Mac_Address", "MACAddress")
+        $serialFields = @("SerialNumber", "Serial", "serial", "Machine_ID", "MachineID", "SN")
+        $modelFields = @("ModelName", "Model", "model", "ProductName", "Product", "DeviceModel")
+        $fwFields = @("FirmwareVersion", "Firmware", "firmware", "FWVersion", "fw_version", "SoftwareVersion")
+
+        foreach ($field in $macFields) {
+            $val = $jsonData.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+            if ($val -and $val.Value) { $phoneData.MAC = ($val.Value -replace '-', ':').ToUpper(); break }
+        }
+        foreach ($field in $serialFields) {
+            $val = $jsonData.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+            if ($val -and $val.Value) { $phoneData.Serial = [string]$val.Value; break }
+        }
+        foreach ($field in $modelFields) {
+            $val = $jsonData.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+            if ($val -and $val.Value) { $phoneData.Model = [string]$val.Value; break }
+        }
+        foreach ($field in $fwFields) {
+            $val = $jsonData.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+            if ($val -and $val.Value) { $phoneData.FirmwareVersion = [string]$val.Value; break }
+        }
+
+        # Some models nest data under a "body" or "data" property
+        $nestedContainers = @("body", "data", "Body", "Data", "status")
+        foreach ($container in $nestedContainers) {
+            $nested = $jsonData.PSObject.Properties | Where-Object { $_.Name -eq $container } | Select-Object -First 1
+            if ($nested -and $nested.Value -and $nested.Value -is [PSCustomObject]) {
+                $obj = $nested.Value
+                if (-not $phoneData.MAC) {
+                    foreach ($field in $macFields) {
+                        $val = $obj.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+                        if ($val -and $val.Value) { $phoneData.MAC = ($val.Value -replace '-', ':').ToUpper(); break }
+                    }
+                }
+                if (-not $phoneData.Serial) {
+                    foreach ($field in $serialFields) {
+                        $val = $obj.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+                        if ($val -and $val.Value) { $phoneData.Serial = [string]$val.Value; break }
+                    }
+                }
+                if (-not $phoneData.Model) {
+                    foreach ($field in $modelFields) {
+                        $val = $obj.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+                        if ($val -and $val.Value) { $phoneData.Model = [string]$val.Value; break }
+                    }
+                }
+                if (-not $phoneData.FirmwareVersion) {
+                    foreach ($field in $fwFields) {
+                        $val = $obj.PSObject.Properties | Where-Object { $_.Name -eq $field } | Select-Object -First 1
+                        if ($val -and $val.Value) { $phoneData.FirmwareVersion = [string]$val.Value; break }
+                    }
+                }
+            }
+        }
+    }
+    catch {
+        # Not JSON — fall through to HTML/text parsing
+    }
+
+    # --- Fallback: Parse HTML/text response ---
+    if (-not $phoneData.MAC -or -not $phoneData.Serial -or -not $phoneData.Model -or -not $phoneData.FirmwareVersion) {
+        # MAC Address patterns in HTML
+        if (-not $phoneData.MAC) {
+            if ($body -match '(?i)(?:mac\s*(?:address)?|MAC)\s*[:=]\s*([0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2})') {
+                $phoneData.MAC = ($Matches[1] -replace '-', ':').ToUpper()
+            }
+        }
+
+        # Serial / Machine ID
+        if (-not $phoneData.Serial) {
+            if ($body -match '(?i)(?:serial\s*(?:number)?|machine\s*id|SN)\s*[:=]\s*([A-Za-z0-9]+)') {
+                $phoneData.Serial = $Matches[1]
+            }
+        }
+
+        # Model
+        if (-not $phoneData.Model) {
+            # Look for Yealink model patterns like T46S, T54W, SIP-T48G, VP59, CP920, etc.
+            if ($body -match '(?i)(?:model|product\s*name|device\s*model)\s*[:=]\s*((?:SIP-)?[A-Za-z]{1,4}[\-]?[0-9]{2,4}[A-Za-z]?)') {
+                $phoneData.Model = $Matches[1]
+            }
+            elseif ($body -match '(?i)(Yealink\s+(?:SIP-)?[A-Za-z]{1,4}[\-]?[0-9]{2,4}[A-Za-z]?)') {
+                $phoneData.Model = $Matches[1]
+            }
+        }
+
+        # Firmware Version
+        if (-not $phoneData.FirmwareVersion) {
+            if ($body -match '(?i)(?:firmware|software)\s*(?:version)?\s*[:=]\s*([0-9]+\.[0-9]+\.[0-9]+[.\-][0-9A-Za-z.]+)') {
+                $phoneData.FirmwareVersion = $Matches[1]
+            }
+            elseif ($body -match '(?i)(?:firmware|software)\s*(?:version)?\s*[:=]\s*(\S+)') {
+                $phoneData.FirmwareVersion = $Matches[1]
+            }
+        }
+
+        # Try parsing HTML table rows (common Yealink status page format):
+        # <tr><td>Label</td><td>Value</td></tr>
+        $tablePattern = '<tr[^>]*>\s*<td[^>]*>\s*(?<label>[^<]+)\s*</td>\s*<td[^>]*>\s*(?<value>[^<]+)\s*</td>\s*</tr>'
+        $tableMatches = [regex]::Matches($body, $tablePattern, [System.Text.RegularExpressions.RegexOptions]::IgnoreCase)
+
+        foreach ($m in $tableMatches) {
+            $label = $m.Groups['label'].Value.Trim()
+            $value = $m.Groups['value'].Value.Trim()
+
+            if (-not $phoneData.MAC -and $label -match '(?i)mac') {
+                $phoneData.MAC = ($value -replace '-', ':').ToUpper()
+            }
+            if (-not $phoneData.Serial -and $label -match '(?i)(serial|machine)') {
+                $phoneData.Serial = $value
+            }
+            if (-not $phoneData.Model -and $label -match '(?i)(model|product)') {
+                $phoneData.Model = $value
+            }
+            if (-not $phoneData.FirmwareVersion -and $label -match '(?i)(firmware|software)') {
+                $phoneData.FirmwareVersion = $value
+            }
+        }
+    }
+
+    # If we got at least one meaningful field, consider it a success
+    if ($phoneData.MAC -or $phoneData.Serial -or $phoneData.Model -or $phoneData.FirmwareVersion) {
+        $phoneData.Success = $true
+        $phoneData.Error = ""
+    }
+    elseif (-not $phoneData.Error) {
+        $phoneData.Error = "Could not parse any fields from status page response"
+    }
+
+    return $phoneData
+}
+
+# ---------------------------------------------------------------------------
+# CSV Output
+# ---------------------------------------------------------------------------
+function Export-PhoneInventory {
+    <#
+    .SYNOPSIS
+        Appends phone inventory data to a CSV file. Creates the file with headers if it does not exist.
+    #>
+    param(
+        [Parameter(Mandatory)]
+        [array]$PhoneRecords,
+
+        [Parameter(Mandatory)]
+        [string]$FilePath,
+
+        [Parameter(Mandatory)]
+        [string]$Site
+    )
+
+    $csvRows = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+    foreach ($phone in $PhoneRecords) {
+        $csvRows.Add([PSCustomObject]@{
+            MAC             = $phone.MAC
+            Serial          = $phone.Serial
+            Model           = $phone.Model
+            FirmwareVersion = $phone.FirmwareVersion
+            IP              = $phone.IP
+            SiteName        = $Site
+        })
+    }
+
+    $fileExists = Test-Path -Path $FilePath -PathType Leaf
+    if ($fileExists) {
+        # Append without header
+        $csvRows | Export-Csv -Path $FilePath -NoTypeInformation -Append -Force
+    }
+    else {
+        $csvRows | Export-Csv -Path $FilePath -NoTypeInformation -Force
+    }
+}
+
+# ===========================================================================
+# MAIN EXECUTION
+# ===========================================================================
+
+$scriptStartTime = Get-Date
+
+Write-Host ""
+Write-Host "==========================================" -ForegroundColor Cyan
+Write-Host "  Yealink Phone Scanner" -ForegroundColor Cyan
+Write-Host "==========================================" -ForegroundColor Cyan
+Write-Host "  Subnet:    $Subnet"
+Write-Host "  Site:      $SiteName"
+Write-Host "  Output:    $OutputFile"
+Write-Host "  Timeout:   ${Timeout}ms"
+Write-Host "==========================================" -ForegroundColor Cyan
+Write-Host ""
+
+# --- Step 1: Calculate subnet addresses ---
+Write-Host "[INFO] Calculating IP addresses for $Subnet..." -ForegroundColor Yellow
+try {
+    $ipList = Get-SubnetAddresses -CidrSubnet $Subnet
+}
+catch {
+    Write-Host "[ERROR] Invalid subnet: $_" -ForegroundColor Red
+    exit 1
+}
+Write-Host "[OK] $($ipList.Count) host addresses in range." -ForegroundColor Green
+Write-Host ""
+
+# --- Step 2: Ping sweep to populate ARP table ---
+Write-Host "[INFO] Pinging $($ipList.Count) addresses to populate ARP table..." -ForegroundColor Yellow
+
+# Use ping in batches — send async pings using .NET Ping.SendPingAsync for speed
+$pingTasks = [System.Collections.Generic.List[object]]::new()
+$batchSize = 100
+for ($i = 0; $i -lt $ipList.Count; $i += $batchSize) {
+    $batch = $ipList[$i..[math]::Min($i + $batchSize - 1, $ipList.Count - 1)]
+    foreach ($ip in $batch) {
+        $pinger = New-Object System.Net.NetworkInformation.Ping
+        try {
+            $task = $pinger.SendPingAsync($ip, $Timeout)
+            $pingTasks.Add(@{ Task = $task; Pinger = $pinger })
+        }
+        catch {
+            $pinger.Dispose()
+        }
+    }
+    # Wait for this batch to finish
+    foreach ($pt in $pingTasks) {
+        try { [void]$pt.Task.Wait(($Timeout + 500)) } catch {}
+        $pt.Pinger.Dispose()
+    }
+    $pingTasks.Clear()
+    $done = [math]::Min($i + $batchSize, $ipList.Count)
+    $pct = [math]::Round(($done / $ipList.Count) * 100)
+    Write-Host "`r  Ping progress: $done/$($ipList.Count) ($pct%)" -NoNewline
+}
+Write-Host ""
+Write-Host "[OK] Ping sweep complete." -ForegroundColor Green
+Write-Host ""
+
+# --- Step 3: Parse ARP table for Yealink MACs within our subnet ---
+Write-Host "[INFO] Scanning ARP table for Yealink MAC prefixes..." -ForegroundColor Yellow
+
+$yealinkDevices = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+# Build a HashSet of IPs in our target subnet for fast lookup
+$subnetIPs = [System.Collections.Generic.HashSet[string]]::new()
+foreach ($ip in $ipList) { [void]$subnetIPs.Add($ip) }
+
+# Parse the full ARP table
+$arpLines = & arp -a 2>$null
+foreach ($line in $arpLines) {
+    $line = $line.Trim()
+    if ($line -match '^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+([\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2}[-:][\da-fA-F]{2})') {
+        $ip = $Matches[1]
+        $mac = $Matches[2].ToUpper() -replace '-', ':'
+        if ($subnetIPs.Contains($ip) -and (Test-YealinkMac -Mac $mac)) {
+            $yealinkDevices.Add([PSCustomObject]@{
+                IP  = $ip
+                MAC = $mac
+            })
+            Write-Host "  Found: $ip -> $mac" -ForegroundColor Cyan
+        }
+    }
+}
+
+# Also try Get-NetNeighbor as a fallback (more reliable on Windows 10/11)
+try {
+    $neighbors = Get-NetNeighbor -State Reachable,Stale,Delay,Probe -ErrorAction SilentlyContinue
+    foreach ($n in $neighbors) {
+        $ip = $n.IPAddress
+        $mac = ($n.LinkLayerAddress -replace '-', ':').ToUpper()
+        if ($subnetIPs.Contains($ip) -and (Test-YealinkMac -Mac $mac)) {
+            # Avoid duplicates
+            $already = $yealinkDevices | Where-Object { $_.IP -eq $ip }
+            if (-not $already) {
+                $yealinkDevices.Add([PSCustomObject]@{
+                    IP  = $ip
+                    MAC = $mac
+                })
+                Write-Host "  Found: $ip -> $mac (via NetNeighbor)" -ForegroundColor Cyan
+            }
+        }
+    }
+}
+catch {
+    Write-Host "  [INFO] Get-NetNeighbor not available, using ARP table only." -ForegroundColor DarkGray
+}
+
+Write-Host "[OK] Found $($yealinkDevices.Count) Yealink devices." -ForegroundColor Green
+Write-Host ""
+
+if ($yealinkDevices.Count -eq 0) {
+    Write-Host "[WARNING] No Yealink devices detected on this subnet. Exiting." -ForegroundColor DarkYellow
+    exit 0
+}
+
+# Display detected devices
+Write-Host "  Detected Yealink devices:" -ForegroundColor Cyan
+foreach ($dev in $yealinkDevices) {
+    Write-Host "    $($dev.IP)  ($($dev.MAC))"
+}
+Write-Host ""
+
+# --- Step 4: Query each Yealink phone's web UI ---
+Write-Host "[INFO] Querying Yealink phone web UIs for inventory data..." -ForegroundColor Yellow
+Write-Host ""
+
+$successfulScrapes = [System.Collections.Generic.List[PSCustomObject]]::new()
+$failedScrapes = [System.Collections.Generic.List[PSCustomObject]]::new()
+
+$deviceIndex = 0
+foreach ($device in $yealinkDevices) {
+    $deviceIndex++
+    Write-Host "  [$deviceIndex/$($yealinkDevices.Count)] Querying $($device.IP) ($($device.MAC))..." -NoNewline
+
+    $phoneData = Get-YealinkPhoneData -IPAddress $device.IP -User $Username -Pass $Password -TimeoutMs ($Timeout * 5)
+
+    # If we didn't get MAC from the web UI, use the ARP MAC
+    if (-not $phoneData.MAC) {
+        $phoneData.MAC = $device.MAC
+    }
+
+    if ($phoneData.Success) {
+        $successfulScrapes.Add($phoneData)
+        Write-Host " [OK] $($phoneData.Model) / $($phoneData.Serial)" -ForegroundColor Green
+    }
+    else {
+        $failedScrapes.Add([PSCustomObject]@{
+            IP    = $device.IP
+            MAC   = $device.MAC
+            Error = $phoneData.Error
+        })
+        Write-Host " [FAILED] $($phoneData.Error)" -ForegroundColor Red
+    }
+}
+
+Write-Host ""
+
+# --- Step 5: Output results ---
+if ($successfulScrapes.Count -gt 0) {
+    # Write to CSV
+    Write-Host "[INFO] Writing $($successfulScrapes.Count) records to $OutputFile..." -ForegroundColor Yellow
+    try {
+        Export-PhoneInventory -PhoneRecords $successfulScrapes -FilePath $OutputFile -Site $SiteName
+        Write-Host "[OK] CSV updated: $OutputFile" -ForegroundColor Green
+    }
+    catch {
+        Write-Host "[ERROR] Failed to write CSV: $_" -ForegroundColor Red
+    }
+
+    # Display results table
+    Write-Host ""
+    Write-Host "==========================================" -ForegroundColor Cyan
+    Write-Host "  Scan Results" -ForegroundColor Cyan
+    Write-Host "==========================================" -ForegroundColor Cyan
+    Write-Host ""
+
+    $successfulScrapes | ForEach-Object {
+        [PSCustomObject]@{
+            IP              = $_.IP
+            MAC             = $_.MAC
+            Model           = $_.Model
+            Serial          = $_.Serial
+            FirmwareVersion = $_.FirmwareVersion
+        }
+    } | Format-Table -AutoSize | Out-String | Write-Host
+}
+
+# Report failures
+if ($failedScrapes.Count -gt 0) {
+    Write-Host "  Failed devices:" -ForegroundColor Red
+    foreach ($fail in $failedScrapes) {
+        Write-Host "    $($fail.IP) ($($fail.MAC)): $($fail.Error)" -ForegroundColor Red
+    }
+    Write-Host ""
+}
+
+# --- Summary ---
+$elapsed = (Get-Date) - $scriptStartTime
+
+Write-Host "==========================================" -ForegroundColor Cyan
+Write-Host "  Summary" -ForegroundColor Cyan
+Write-Host "==========================================" -ForegroundColor Cyan
+Write-Host "  Site:              $SiteName"
+Write-Host "  Subnet:            $Subnet"
+Write-Host "  IPs scanned:       $($ipList.Count)"
+Write-Host "  Yealink detected:  $($yealinkDevices.Count)"
+Write-Host "  Successfully scraped: $($successfulScrapes.Count)" -ForegroundColor Green
+Write-Host "  Failed:            $($failedScrapes.Count)" -ForegroundColor $(if ($failedScrapes.Count -gt 0) { "Red" } else { "Green" })
+Write-Host "  Elapsed time:      $([math]::Round($elapsed.TotalSeconds, 1))s"
+Write-Host "==========================================" -ForegroundColor Cyan
+Write-Host ""
diff --git a/tools/test-yealink.ps1 b/tools/test-yealink.ps1
new file mode 100644
index 0000000..c8a567f
--- /dev/null
+++ b/tools/test-yealink.ps1
@@ -0,0 +1,183 @@
+# Test SSDP/UPnP discovery for Yealink phones
+param(
+    [string]$IP = "172.16.1.29",
+    [int]$DiscoveryTimeout = 5
+)
+
+# --- Test 1: SSDP M-SEARCH broadcast ---
+Write-Host "=== Test 1: SSDP M-SEARCH (broadcast) ===" -ForegroundColor Yellow
+Write-Host "  Sending M-SEARCH to 239.255.255.250:1900..." -ForegroundColor DarkGray
+
+$ssdpMessage = @"
+M-SEARCH * HTTP/1.1
+HOST: 239.255.255.250:1900
+MAN: "ssdp:discover"
+MX: 3
+ST: ssdp:all
+
+"@
+
+$ssdpBytes = [System.Text.Encoding]::ASCII.GetBytes($ssdpMessage.Replace("`n", "`r`n"))
+$udpClient = New-Object System.Net.Sockets.UdpClient
+$udpClient.Client.ReceiveTimeout = ($DiscoveryTimeout * 1000)
+$udpClient.Client.SetSocketOption([System.Net.Sockets.SocketOptionLevel]::Socket,
+    [System.Net.Sockets.SocketOptionName]::ReuseAddress, $true)
+
+$multicastEp = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Parse("239.255.255.250"), 1900)
+$udpClient.Send($ssdpBytes, $ssdpBytes.Length, $multicastEp) | Out-Null
+
+$responses = @()
+$sw = [System.Diagnostics.Stopwatch]::StartNew()
+while ($sw.Elapsed.TotalSeconds -lt $DiscoveryTimeout) {
+    try {
+        $remoteEp = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, 0)
+        $data = $udpClient.Receive([ref]$remoteEp)
+        $response = [System.Text.Encoding]::ASCII.GetString($data)
+        $sourceIp = $remoteEp.Address.ToString()
+
+        if ($response -match 'yealink|Yealink|YEALINK|SIP-T') {
+            Write-Host "  [YEALINK] Response from $sourceIp" -ForegroundColor Green
+            Write-Host $response -ForegroundColor Cyan
+            $responses += @{ IP = $sourceIp; Response = $response }
+        }
+        elseif ($sourceIp -eq $IP) {
+            Write-Host "  Response from TARGET $sourceIp" -ForegroundColor Green
+            Write-Host $response -ForegroundColor Cyan
+            $responses += @{ IP = $sourceIp; Response = $response }
+        }
+    }
+    catch [System.Net.Sockets.SocketException] {
+        break  # Timeout
+    }
+}
+$udpClient.Close()
+Write-Host "  Received $($responses.Count) Yealink/target responses" -ForegroundColor DarkGray
+
+# --- Test 2: Direct SSDP to the phone's IP ---
+Write-Host ""
+Write-Host "=== Test 2: Direct SSDP M-SEARCH to $IP ===" -ForegroundColor Yellow
+
+$udpClient2 = New-Object System.Net.Sockets.UdpClient
+$udpClient2.Client.ReceiveTimeout = 3000
+
+$directEp = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Parse($IP), 1900)
+$udpClient2.Send($ssdpBytes, $ssdpBytes.Length, $directEp) | Out-Null
+
+try {
+    $remoteEp2 = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, 0)
+    $data2 = $udpClient2.Receive([ref]$remoteEp2)
+    $response2 = [System.Text.Encoding]::ASCII.GetString($data2)
+    Write-Host "  Response from $($remoteEp2.Address):" -ForegroundColor Green
+    Write-Host $response2 -ForegroundColor Cyan
+}
+catch {
+    Write-Host "  No response (timeout)" -ForegroundColor DarkYellow
+}
+$udpClient2.Close()
+
+# --- Test 3: Try fetching UPnP device description if we got a LOCATION header ---
+Write-Host ""
+Write-Host "=== Test 3: UPnP device description URLs ===" -ForegroundColor Yellow
+
+# Try common UPnP description URLs
+$descUrls = @(
+    "http://${IP}:1900/description.xml",
+    "http://${IP}/description.xml",
+    "http://${IP}:49152/description.xml",
+    "http://${IP}:5060/description.xml",
+    "http://${IP}/DeviceDescription.xml",
+    "http://${IP}/upnp/description.xml"
+)
+
+# Also extract LOCATION from any SSDP responses
+foreach ($r in $responses) {
+    if ($r.Response -match 'LOCATION:\s*(http[^\s\r\n]+)') {
+        $loc = $Matches[1].Trim()
+        if ($descUrls -notcontains $loc) { $descUrls = @($loc) + $descUrls }
+    }
+}
+
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
+[System.Net.ServicePointManager]::Expect100Continue = $false
+
+# Enable unsafe header parsing
+$netAssembly = [System.Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection])
+if ($netAssembly) {
+    $settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal")
+    if ($settingsType) {
+        $bf = [System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::GetProperty -bor [System.Reflection.BindingFlags]::NonPublic
+        $instance = $settingsType.InvokeMember("Section", $bf, $null, $null, @())
+        if ($instance) {
+            $field = $settingsType.GetField("useUnsafeHeaderParsing", [System.Reflection.BindingFlags]::NonPublic -bor [System.Reflection.BindingFlags]::Instance)
+            if ($field) { $field.SetValue($instance, $true) }
+        }
+    }
+}
+
+foreach ($url in $descUrls) {
+    Write-Host "  Trying: $url" -ForegroundColor DarkGray -NoNewline
+    try {
+        $req = [System.Net.HttpWebRequest]::Create($url)
+        $req.Timeout = 3000
+        $req.UserAgent = "UPnP/1.0"
+        $resp = $req.GetResponse()
+        $reader = New-Object System.IO.StreamReader($resp.GetResponseStream())
+        $body = $reader.ReadToEnd()
+        $reader.Close()
+        $resp.Close()
+        Write-Host " -> OK ($($body.Length) chars)" -ForegroundColor Green
+        Write-Host $body -ForegroundColor Cyan
+
+        # Save if it looks like XML device description
+        if ($body -match 'serialNumber|modelName|manufacturer') {
+            Write-Host ""
+            Write-Host "  [FOUND] Device description with useful fields!" -ForegroundColor Green
+            $body | Out-File "C:\temp\yealink_upnp.xml" -Encoding UTF8
+        }
+    }
+    catch {
+        Write-Host " -> FAIL" -ForegroundColor Red
+    }
+}
+
+# --- Test 4: Try SNMP if available ---
+Write-Host ""
+Write-Host "=== Test 4: SNMP probe (community: public) ===" -ForegroundColor Yellow
+Write-Host "  Trying SNMPv2c GET on common OIDs..." -ForegroundColor DarkGray
+
+# Build a simple SNMPv2c GET request for sysDescr (1.3.6.1.2.1.1.1.0)
+# This is a minimal hand-crafted SNMP packet
+$snmpGet = [byte[]]@(
+    0x30, 0x29,                         # SEQUENCE, length 41
+    0x02, 0x01, 0x01,                   # INTEGER: version = 1 (SNMPv2c)
+    0x04, 0x06,                         # OCTET STRING: community
+    0x70, 0x75, 0x62, 0x6C, 0x69, 0x63, # "public"
+    0xA0, 0x1C,                         # GET-REQUEST, length 28
+    0x02, 0x04, 0x01, 0x02, 0x03, 0x04, # request-id
+    0x02, 0x01, 0x00,                   # error-status: 0
+    0x02, 0x01, 0x00,                   # error-index: 0
+    0x30, 0x0E,                         # varbind list
+    0x30, 0x0C,                         # varbind
+    0x06, 0x08,                         # OID
+    0x2B, 0x06, 0x01, 0x02, 0x01, 0x01, 0x01, 0x00,  # 1.3.6.1.2.1.1.1.0 (sysDescr)
+    0x05, 0x00                          # NULL
+)
+
+try {
+    $snmpClient = New-Object System.Net.Sockets.UdpClient
+    $snmpClient.Client.ReceiveTimeout = 3000
+    $snmpEp = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Parse($IP), 161)
+    $snmpClient.Send($snmpGet, $snmpGet.Length, $snmpEp) | Out-Null
+
+    $snmpRemote = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, 0)
+    $snmpData = $snmpClient.Receive([ref]$snmpRemote)
+    $snmpResponse = [System.Text.Encoding]::ASCII.GetString($snmpData)
+    Write-Host "  SNMP response received ($($snmpData.Length) bytes)" -ForegroundColor Green
+    # Try to extract readable text from the response
+    $readable = ($snmpData | ForEach-Object { if ($_ -ge 32 -and $_ -le 126) { [char]$_ } else { "." } }) -join ""
+    Write-Host "  Readable: $readable" -ForegroundColor Cyan
+    $snmpClient.Close()
+}
+catch {
+    Write-Host "  No SNMP response (timeout or blocked)" -ForegroundColor DarkYellow
+}
diff --git a/tools/yealink-serial-scanner.html b/tools/yealink-serial-scanner.html
new file mode 100644
index 0000000..03da6da
--- /dev/null
+++ b/tools/yealink-serial-scanner.html
@@ -0,0 +1,338 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Yealink Serial Scanner</title>
+<style>
+    body { font-family: Consolas, monospace; background: #1e1e1e; color: #d4d4d4; padding: 20px; }
+    h1 { color: #569cd6; }
+    .form-group { margin: 10px 0; }
+    label { display: inline-block; width: 120px; color: #9cdcfe; }
+    input, textarea { background: #2d2d2d; color: #d4d4d4; border: 1px solid #555; padding: 5px 10px; font-family: Consolas, monospace; }
+    input[type=text], input[type=password] { width: 300px; }
+    textarea { width: 500px; height: 100px; }
+    button { background: #0e639c; color: white; border: none; padding: 8px 20px; cursor: pointer; font-family: Consolas, monospace; margin: 5px; }
+    button:hover { background: #1177bb; }
+    button:disabled { background: #555; cursor: not-allowed; }
+    #log { background: #0d0d0d; padding: 15px; margin-top: 20px; max-height: 500px; overflow-y: auto; white-space: pre-wrap; font-size: 13px; border: 1px solid #333; }
+    .success { color: #4ec9b0; }
+    .error { color: #f44747; }
+    .info { color: #569cd6; }
+    .warn { color: #ce9178; }
+    table { border-collapse: collapse; margin-top: 15px; }
+    th, td { border: 1px solid #555; padding: 6px 12px; text-align: left; }
+    th { background: #264f78; }
+    #results { margin-top: 20px; }
+    .note { color: #808080; font-size: 12px; margin-top: 5px; }
+</style>
+</head>
+<body>
+<h1>Yealink Phone Serial Scanner</h1>
+<p class="note">This tool logs into Yealink phone web UIs to extract serial numbers (Machine IDs) for YMCS/RPS registration.
+<br>Enter phone IPs (one per line or comma-separated), credentials, and click Scan.</p>
+
+<div class="form-group">
+    <label>Phone IPs:</label>
+    <textarea id="ips" placeholder="172.16.1.29&#10;172.16.1.58&#10;or: 172.16.1.29, 172.16.1.58">172.16.1.29</textarea>
+</div>
+<div class="form-group">
+    <label>Username:</label>
+    <input type="text" id="username" value="admin">
+</div>
+<div class="form-group">
+    <label>Password:</label>
+    <input type="password" id="password" value="">
+</div>
+<div class="form-group">
+    <label>Site Name:</label>
+    <input type="text" id="sitename" value="GuruHQ">
+</div>
+<div class="form-group">
+    <label>Protocol:</label>
+    <select id="protocol">
+        <option value="https">HTTPS</option>
+        <option value="http">HTTP</option>
+    </select>
+</div>
+<div>
+    <button id="scanBtn" onclick="startScan()">Scan Phones</button>
+    <button onclick="exportCSV()">Export CSV</button>
+    <button onclick="clearLog()">Clear Log</button>
+</div>
+
+<div id="log"></div>
+<div id="results"></div>
+
+<script>
+// CryptoJS AES + MD5 (minimal inline build)
+// Source: CryptoJS v3.1.2 (MIT License)
+var CryptoJS=CryptoJS||function(u,p){var d={},l=d.lib={},s=function(){},t=l.Base={extend:function(a){s.prototype=this;var c=new s;a&&c.mixIn(a);c.hasOwnProperty("init")||(c.init=function(){c.$super.init.apply(this,arguments)});c.init.prototype=c;c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.init.prototype.extend(this)}},r=l.WordArray=t.extend({init:function(a,c){a=this.words=a||[];this.sigBytes=c!=p?c:4*a.length},toString:function(a){return(a||v).stringify(this)},concat:function(a){var c=this.words,e=a.words,j=this.sigBytes;a=a.sigBytes;this.clamp();if(j%4)for(var k=0;k<a;k++)c[j+k>>>2]|=(e[k>>>2]>>>24-8*(k%4)&255)<<24-8*((j+k)%4);else for(k=0;k<a;k+=4)c[j+k>>>2]=e[k>>>2];this.sigBytes+=a;return this},clamp:function(){var a=this.words,c=this.sigBytes;a[c>>>2]&=4294967295<<32-8*(c%4);a.length=u.ceil(c/4)},clone:function(){var a=t.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var c=[],e=0;e<a;e+=4)c.push(4294967296*u.random()|0);return new r.init(c,a)}}),w=d.enc={},v=w.Hex={stringify:function(a){var c=a.words;a=a.sigBytes;for(var e=[],j=0;j<a;j++){var k=c[j>>>2]>>>24-8*(j%4)&255;e.push((k>>>4).toString(16));e.push((k&15).toString(16))}return e.join("")},parse:function(a){for(var c=a.length,e=[],j=0;j<c;j+=2)e[j>>>3]|=parseInt(a.substr(j,2),16)<<24-4*(j%8);return new r.init(e,c/2)}},b=w.Latin1={stringify:function(a){var c=a.words;a=a.sigBytes;for(var e=[],j=0;j<a;j++)e.push(String.fromCharCode(c[j>>>2]>>>24-8*(j%4)&255));return e.join("")},parse:function(a){for(var c=a.length,e=[],j=0;j<c;j++)e[j>>>2]|=(a.charCodeAt(j)&255)<<24-8*(j%4);return new r.init(e,c)}},x=w.Utf8={stringify:function(a){try{return decodeURIComponent(escape(b.stringify(a)))}catch(c){throw Error("Malformed UTF-8 data")}},parse:function(a){return b.parse(unescape(encodeURIComponent(a)))}},q=l.BufferedBlockAlgorithm=t.extend({reset:function(){this._data=new r.init;this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=x.parse(a));this._data.concat(a);this._nDataBytes+=a.sigBytes},_process:function(a){var c=this._data,e=c.words,j=c.sigBytes,k=this.blockSize,b=j/(4*k),b=a?u.ceil(b):u.max((b|0)-this._minBufferSize,0);a=b*k;j=u.min(4*a,j);if(a){for(var q=0;q<a;q+=k)this._doProcessBlock(e,q);q=e.splice(0,a);c.sigBytes-=j}return new r.init(q,j)},clone:function(){var a=t.clone.call(this);a._data=this._data.clone();return a}}),G=l.Hasher=q.extend({cfg:t.extend(),init:function(a){this.cfg=this.cfg.extend(a);this.reset()},reset:function(){q.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);return this._doFinalize()},blockSize:16,_createHelper:function(a){return function(c,e){return(new a.init(e)).finalize(c)}},_createHmacHelper:function(a){return function(c,e){return(new n.HMAC.init(a,e)).finalize(c)}}});var n=d.algo={};return d}(Math);
+
+// MD5
+(function(u){function p(b,n,a,c,e,j,k){b=b+(n&a|~n&c)+e+k;return(b<<j|b>>>32-j)+n}function d(b,n,a,c,e,j,k){b=b+(n&c|a&~c)+e+k;return(b<<j|b>>>32-j)+n}function l(b,n,a,c,e,j,k){b=b+(n^a^c)+e+k;return(b<<j|b>>>32-j)+n}function s(b,n,a,c,e,j,k){b=b+(a^(n|~c))+e+k;return(b<<j|b>>>32-j)+n}var t=CryptoJS,r=t.lib,w=r.WordArray,v=r.Hasher,r=t.algo,b=[];(function(){for(var n=0;64>n;n++)b[n]=4294967296*u.abs(u.sin(n+1))|0})();r=r.MD5=v.extend({_doReset:function(){this._hash=new w.init([1732584193,4023233417,2562383102,271733878])},_doProcessBlock:function(n,a){for(var c=0;16>c;c++){var e=a+c,j=n[e];n[e]=(j<<8|j>>>24)&16711935|(j<<24|j>>>8)&4278255360}var c=this._hash.words,e=n[a+0],j=n[a+1],k=n[a+2],q=n[a+3],G=n[a+4],H=n[a+5],I=n[a+6],J=n[a+7],K=n[a+8],L=n[a+9],M=n[a+10],N=n[a+11],O=n[a+12],P=n[a+13],Q=n[a+14],R=n[a+15],f=c[0],m=c[1],g=c[2],h=c[3],f=p(f,m,g,h,e,7,b[0]),h=p(h,f,m,g,j,12,b[1]),g=p(g,h,f,m,k,17,b[2]),m=p(m,g,h,f,q,22,b[3]),f=p(f,m,g,h,G,7,b[4]),h=p(h,f,m,g,H,12,b[5]),g=p(g,h,f,m,I,17,b[6]),m=p(m,g,h,f,J,22,b[7]),f=p(f,m,g,h,K,7,b[8]),h=p(h,f,m,g,L,12,b[9]),g=p(g,h,f,m,M,17,b[10]),m=p(m,g,h,f,N,22,b[11]),f=p(f,m,g,h,O,7,b[12]),h=p(h,f,m,g,P,12,b[13]),g=p(g,h,f,m,Q,17,b[14]),m=p(m,g,h,f,R,22,b[15]),f=d(f,m,g,h,j,5,b[16]),h=d(h,f,m,g,I,9,b[17]),g=d(g,h,f,m,N,14,b[18]),m=d(m,g,h,f,e,20,b[19]),f=d(f,m,g,h,H,5,b[20]),h=d(h,f,m,g,M,9,b[21]),g=d(g,h,f,m,R,14,b[22]),m=d(m,g,h,f,G,20,b[23]),f=d(f,m,g,h,L,5,b[24]),h=d(h,f,m,g,Q,9,b[25]),g=d(g,h,f,m,q,14,b[26]),m=d(m,g,h,f,K,20,b[27]),f=d(f,m,g,h,P,5,b[28]),h=d(h,f,m,g,k,9,b[29]),g=d(g,h,f,m,J,14,b[30]),m=d(m,g,h,f,O,20,b[31]),f=l(f,m,g,h,H,4,b[32]),h=l(h,f,m,g,K,11,b[33]),g=l(g,h,f,m,N,16,b[34]),m=l(m,g,h,f,Q,23,b[35]),f=l(f,m,g,h,j,4,b[36]),h=l(h,f,m,g,G,11,b[37]),g=l(g,h,f,m,J,16,b[38]),m=l(m,g,h,f,M,23,b[39]),f=l(f,m,g,h,P,4,b[40]),h=l(h,f,m,g,e,11,b[41]),g=l(g,h,f,m,q,16,b[42]),m=l(m,g,h,f,I,23,b[43]),f=l(f,m,g,h,L,4,b[44]),h=l(h,f,m,g,O,11,b[45]),g=l(g,h,f,m,R,16,b[46]),m=l(m,g,h,f,k,23,b[47]),f=s(f,m,g,h,e,6,b[48]),h=s(h,f,m,g,J,10,b[49]),g=s(g,h,f,m,Q,15,b[50]),m=s(m,g,h,f,H,21,b[51]),f=s(f,m,g,h,O,6,b[52]),h=s(h,f,m,g,q,10,b[53]),g=s(g,h,f,m,M,15,b[54]),m=s(m,g,h,f,j,21,b[55]),f=s(f,m,g,h,K,6,b[56]),h=s(h,f,m,g,R,10,b[57]),g=s(g,h,f,m,I,15,b[58]),m=s(m,g,h,f,P,21,b[59]),f=s(f,m,g,h,G,6,b[60]),h=s(h,f,m,g,N,10,b[61]),g=s(g,h,f,m,k,15,b[62]),m=s(m,g,h,f,L,21,b[63]);c[0]=c[0]+f|0;c[1]=c[1]+m|0;c[2]=c[2]+g|0;c[3]=c[3]+h|0},_doFinalize:function(){var b=this._data,n=b.words,a=8*this._nDataBytes,c=8*b.sigBytes;n[c>>>5]|=128<<24-c%32;var e=u.floor(a/4294967296);n[(c+64>>>9<<4)+14]=(e<<8|e>>>24)&16711935|(e<<24|e>>>8)&4278255360;n[(c+64>>>9<<4)+15]=(a<<8|a>>>24)&16711935|(a<<24|a>>>8)&4278255360;b.sigBytes=4*(n.length+1);this._process();b=this._hash;n=b.words;for(a=0;4>a;a++)c=n[a],n[a]=(c<<8|c>>>24)&16711935|(c<<24|c>>>8)&4278255360;return b}});t.MD5=v._createHelper(r);t.HmacMD5=v._createHmacHelper(r)})(Math);
+
+// AES
+(function(){var u=CryptoJS,p=u.lib.BlockCipher,d=u.algo,l=[],s=[],t=[],r=[],w=[],v=[],b=[],x=[],q=[],G=[];(function(){for(var c=[],j=0;256>j;j++)c[j]=128>j?j<<1:j<<1^283;for(var a=0,k=0,j=0;256>j;j++){var e=k^k<<1^k<<2^k<<3^k<<4,e=e>>>8^e&255^99;l[a]=e;s[e]=a;var n=c[a],H=c[n],I=c[H],J=257*c[e]^16843008*e;t[a]=J<<24|J>>>8;r[a]=J<<16|J>>>16;w[a]=J<<8|J>>>24;v[a]=J;J=16843009*I^65537*H^257*n^16843008*a;b[e]=J<<24|J>>>8;x[e]=J<<16|J>>>16;q[e]=J<<8|J>>>24;G[e]=J;a?(a=n^c[c[c[I^n]]],k^=c[c[k]]):a=k=1}})();var H=[0,1,2,4,8,16,32,64,128,27,54],d=d.AES=p.extend({_doReset:function(){for(var c=this._key,j=c.words,a=c.sigBytes/4,c=4*((this._nRounds=a+6)+1),k=this._keySchedule=[],e=0;e<c;e++)if(e<a)k[e]=j[e];else{var n=k[e-1];e%a?6<a&&4==e%a&&(n=l[n>>>24]<<24|l[n>>>16&255]<<16|l[n>>>8&255]<<8|l[n&255]):(n=n<<8|n>>>24,n=l[n>>>24]<<24|l[n>>>16&255]<<16|l[n>>>8&255]<<8|l[n&255],n^=H[e/a|0]<<24);k[e]=k[e-a]^n}j=this._invKeySchedule=[];for(a=0;a<c;a++)e=c-a,n=a%4?k[e]:k[e-4],j[a]=4>a||4>=e?n:b[l[n>>>24]]^x[l[n>>>16&255]]^q[l[n>>>8&255]]^G[l[n&255]]},encryptBlock:function(c,j){this._doCryptBlock(c,j,this._keySchedule,t,r,w,v,l)},decryptBlock:function(c,j){var a=c[j+1];c[j+1]=c[j+3];c[j+3]=a;this._doCryptBlock(c,j,this._invKeySchedule,b,x,q,G,s);a=c[j+1];c[j+1]=c[j+3];c[j+3]=a},_doCryptBlock:function(c,j,a,e,n,b,d,l){for(var f=this._nRounds,m=c[j]^a[0],g=c[j+1]^a[1],h=c[j+2]^a[2],k=c[j+3]^a[3],p=4,q=1;q<f;q++)var r=e[m>>>24]^n[g>>>16&255]^b[h>>>8&255]^d[k&255]^a[p++],s=e[g>>>24]^n[h>>>16&255]^b[k>>>8&255]^d[m&255]^a[p++],t=e[h>>>24]^n[k>>>16&255]^b[m>>>8&255]^d[g&255]^a[p++],k=e[k>>>24]^n[m>>>16&255]^b[g>>>8&255]^d[h&255]^a[p++],m=r,g=s,h=t;r=(l[m>>>24]<<24|l[g>>>16&255]<<16|l[h>>>8&255]<<8|l[k&255])^a[p++];s=(l[g>>>24]<<24|l[h>>>16&255]<<16|l[k>>>8&255]<<8|l[m&255])^a[p++];t=(l[h>>>24]<<24|l[k>>>16&255]<<16|l[m>>>8&255]<<8|l[g&255])^a[p++];k=(l[k>>>24]<<24|l[m>>>16&255]<<16|l[g>>>8&255]<<8|l[h&255])^a[p++];c[j]=r;c[j+1]=s;c[j+2]=t;c[j+3]=k}})})();
+
+// CBC mode
+CryptoJS.mode=CryptoJS.mode||{};
+CryptoJS.mode.CBC=function(){var u=CryptoJS.lib.BlockCipherMode.extend();u.Encryptor=u.extend({processBlock:function(p,d){var l=this._cipher,s=l.blockSize;this._iv&&(this._prevBlock=this._iv,this._iv=void 0);for(var t=0;t<s;t++)p[d+t]^=this._prevBlock[t];l.encryptBlock(p,d);this._prevBlock=p.slice(d,d+s)}});u.Decryptor=u.extend({processBlock:function(p,d){var l=this._cipher,s=l.blockSize,t=p.slice(d,d+s);l.decryptBlock(p,d);for(var r=0;r<s;r++)p[d+r]^=this._prevBlock[r];this._prevBlock=t}});return u}();
+
+// BlockCipherMode base
+CryptoJS.lib.BlockCipherMode=CryptoJS.lib.Base.extend({createEncryptor:function(u,p){return this.Encryptor.create(u,p)},createDecryptor:function(u,p){return this.Decryptor.create(u,p)},init:function(u,p){this._cipher=u;this._iv=p}});
+
+// Cipher base
+(function(){var u=CryptoJS,p=u.lib,d=p.Base,l=p.WordArray,s=u.enc;u.lib.Cipher=d.extend({cfg:d.extend(),createEncryptor:function(a,c){return this.create(1,a,c)},createDecryptor:function(a,c){return this.create(2,a,c)},init:function(a,c,e){this.cfg=this.cfg.extend(e);this._xformMode=a;this._key=c;this.reset()},reset:function(){d.reset.call(this);this._doReset()},process:function(a){this._append(a);return this._process()},finalize:function(a){a&&this._append(a);return this._doFinalize()},_createHelper:function(){function a(c,e,j){if("string"==typeof e)return b(c,e,j);return n(c,e,j)}function n(a,c,e){return a.createEncryptor(c,e).finalize()}function b(a,c,e){e=e||{};var j=u.algo.EvpKDF.create(e.kdf&&e.kdf.cfg||{});c=j.compute(c,e.salt||l.create());e.iv=e.iv||c.clone();return n(a,c,e)}return{encrypt:a,decrypt:function(a,c,e){"string"==typeof c?c=s.Hex.parse(c):void 0;return a.createDecryptor(c.key,e).finalize(c.ciphertext)}}}()});
+u.lib.BlockCipher=u.lib.Cipher.extend({cfg:u.lib.Cipher.cfg.extend({mode:CryptoJS.mode.CBC,padding:{pad:function(a,c){var e=4*c,j=e-a.sigBytes%e;a.concat(l.create([j<<24|j<<16|j<<8|j,j<<24|j<<16|j<<8|j,j<<24|j<<16|j<<8|j,j<<24|j<<16|j<<8|j],j))},unpad:function(a){a.sigBytes-=a.words[a.sigBytes-1>>>2]&255}}}),reset:function(){u.lib.Cipher.reset.call(this);var a=this.cfg,c=a.iv;a=a.mode;if(1==this._xformMode)var e=a.createEncryptor;else e=a.createDecryptor,this._minBufferSize=1;this._mode=e.call(a,this,c&&c.words)},_doProcessBlock:function(a,c){this._mode.processBlock(a,c)},_doFinalize:function(){var a=this.cfg.padding;1==this._xformMode?(a.pad(this._data,this.blockSize),this._process(!0)):(this._process(!0),a.unpad(this._data));return this._data}})})();
+
+// ZeroPadding
+CryptoJS.pad=CryptoJS.pad||{};
+CryptoJS.pad.ZeroPadding={pad:function(u,p){var d=4*p;u.clamp();u.sigBytes+=d-(u.sigBytes%d||d)},unpad:function(u){for(var p=u.words,d=u.sigBytes-1;!(p[d>>>2]>>>24-8*(d%4)&255);)d--;u.sigBytes=d+1}};
+
+// RSA (minimal JSBN implementation)
+function BigInteger(a,b,c){null!=a&&("number"==typeof a?this.fromNumber(a,b,c):null==b&&"string"!=typeof a?this.fromString(a,256):this.fromString(a,b))}var dbits,canary=0xdeadbeefcafe,j_lm=15715070==(canary&16777215);function am3(a,b,c,d,e,f){for(var g=b&16383,h=b>>14;--f>=0;){var i=this[a]&16383,j=this[a++]>>14,k=h*i+j*g;i=g*i+((k&16383)<<14)+c[d]+e;e=(i>>28)+(k>>14)+h*j;c[d++]=i&268435455}return e}BigInteger.prototype.am=am3;dbits=28;BigInteger.prototype.DB=dbits;BigInteger.prototype.DM=(1<<dbits)-1;BigInteger.prototype.DV=1<<dbits;var BI_FP=52;BigInteger.prototype.FV=Math.pow(2,BI_FP);BigInteger.prototype.F1=BI_FP-dbits;BigInteger.prototype.F2=2*dbits-BI_FP;var BI_RM="0123456789abcdefghijklmnopqrstuvwxyz",BI_RC=[];var rr,vv;rr="0".charCodeAt(0);for(vv=0;vv<=9;++vv)BI_RC[rr++]=vv;rr="a".charCodeAt(0);for(vv=0;vv<26;++vv)BI_RC[rr++]=vv;rr="A".charCodeAt(0);for(vv=0;vv<26;++vv)BI_RC[rr++]=vv;function int2char(a){return BI_RM.charAt(a)}function intAt(a,b){var c=BI_RC[a.charCodeAt(b)];return null==c?-1:c}function bnpCopyTo(a){for(var b=this.t-1;b>=0;--b)a[b]=this[b];a.t=this.t;a.s=this.s}function bnpFromInt(a){this.t=1;this.s=a<0?-1:0;a>0?this[0]=a:a<-1?this[0]=a+this.DV:this.t=0}function nbv(a){var b=new BigInteger(null);b.fromInt(a);return b}function bnpFromString(a,b){var c;if(16==b)c=4;else if(8==b)c=3;else if(256==b)c=8;else if(2==b)c=1;else if(32==b)c=5;else if(4==b)c=2;else{this.fromRadix(a,b);return}this.t=0;this.s=0;for(var d=a.length,e=!1,f=0;--d>=0;){var g=8==c?a.charCodeAt(d)&255:intAt(a,d);g<0?"-"==a.charAt(d)&&(e=!0):(e=!1,0==f?this[this.t++]=g:f+c>this.DB?(this[this.t-1]|=(g&(1<<this.DB-f)-1)<<f,this[this.t++]=g>>this.DB-f):this[this.t-1]|=g<<f,f+=c,f>=this.DB&&(f-=this.DB))}8==c&&0!=(a.charCodeAt(0)&128)&&(this.s=-1,f>0&&(this[this.t-1]|=(1<<this.DB-f)-1<<f));this.clamp();e&&BigInteger.ZERO.subTo(this,this)}function bnpClamp(){for(var a=this.s&this.DM;this.t>0&&this[this.t-1]==a;)--this.t}function bnToString(a){if(this.s<0)return"-"+this.negate().toString(a);var b;if(16==a)b=4;else if(8==a)b=3;else if(2==a)b=1;else if(32==a)b=5;else if(4==a)b=2;else return this.toRadix(a);var c=(1<<b)-1,d,e=!1,f="",g=this.t;var h=this.DB-g*this.DB%b;if(g-- >0){if(h<this.DB&&(d=this[g]>>h)>0){e=!0;f=int2char(d)}for(;g>=0;)h<b?(d=(this[g]&(1<<h)-1)<<b-h,d|=this[--g]>>(h+=this.DB-b)):(d=this[g]>>(h-=b)&c,h<=0&&(h+=this.DB,--g)),d>0&&(e=!0),e&&(f+=int2char(d))}return e?f:"0"}function bnNegate(){var a=new BigInteger(null);BigInteger.ZERO.subTo(this,a);return a}function bnCompareTo(a){var b=this.s-a.s;if(0!=b)return b;var c=this.t;b=c-a.t;if(0!=b)return this.s<0?-b:b;for(;--c>=0;)if(0!=(b=this[c]-a[c]))return b;return 0}function nbits(a){var b=1,c;0!=(c=a>>>16)&&(a=c,b+=16);0!=(c=a>>8)&&(a=c,b+=8);0!=(c=a>>4)&&(a=c,b+=4);0!=(c=a>>2)&&(a=c,b+=2);0!=(c=a>>1)&&(a=c,b+=1);return b}function bnBitLength(){return this.t<=0?0:this.DB*(this.t-1)+nbits(this[this.t-1]^this.s&this.DM)}function bnpDLShiftTo(a,b){for(var c=this.t-1;c>=0;--c)b[c+a]=this[c];for(c=a-1;c>=0;--c)b[c]=0;b.t=this.t+a;b.s=this.s}function bnpDRShiftTo(a,b){for(var c=a;c<this.t;++c)b[c-a]=this[c];b.t=Math.max(this.t-a,0);b.s=this.s}function bnpLShiftTo(a,b){var c=a%this.DB,d=this.DB-c,e=(1<<d)-1,f=Math.floor(a/this.DB),g=this.s<<c&this.DM,h;for(h=this.t-1;h>=0;--h)b[h+f+1]=this[h]>>d|g,g=(this[h]&e)<<c;for(h=f-1;h>=0;--h)b[h]=0;b[f]=g;b.t=this.t+f+1;b.s=this.s;b.clamp()}function bnpRShiftTo(a,b){b.s=this.s;var c=Math.floor(a/this.DB);if(c>=this.t)b.t=0;else{var d=a%this.DB,e=this.DB-d,f=(1<<d)-1;b[0]=this[c]>>d;for(var g=c+1;g<this.t;++g)b[g-c-1]|=(this[g]&f)<<e,b[g-c]=this[g]>>d;d>0&&(b[this.t-c-1]|=(this.s&f)<<e);b.t=this.t-c;b.clamp()}}function bnpSubTo(a,b){for(var c=0,d=0,e=Math.min(a.t,this.t);c<e;)d+=this[c]-a[c],b[c++]=d&this.DM,d>>=this.DB;if(a.t<this.t){d-=a.s;for(;c<this.t;)d+=this[c],b[c++]=d&this.DM,d>>=this.DB;d+=this.s}else{d+=this.s;for(;c<a.t;)d-=a[c],b[c++]=d&this.DM,d>>=this.DB;d-=a.s}b.s=d<0?-1:0;d<-1?b[c++]=this.DV+d:d>0&&(b[c++]=d);b.t=c;b.clamp()}function bnpMultiplyTo(a,b){var c=this.abs(),d=a.abs(),e=c.t;b.t=e+d.t;for(;--e>=0;)b[e]=0;for(e=0;e<d.t;++e)b[e+c.t]=c.am(0,d[e],b,e,0,c.t);b.s=0;b.clamp();this.s!=a.s&&BigInteger.ZERO.subTo(b,b)}function bnpSquareTo(a){for(var b=this.abs(),c=a.t=2*b.t;--c>=0;)a[c]=0;for(c=0;c<b.t-1;++c){var d=b.am(c,b[c],a,2*c,0,1);(a[c+b.t]+=b.am(c+1,2*b[c],a,2*c+1,d,b.t-c-1))>=b.DV&&(a[c+b.t]-=b.DV,a[c+b.t+1]=1)}a.t>0&&(a[a.t-1]+=b.am(c,b[c],a,2*c,0,1));a.s=0;a.clamp()}function bnpDivRemTo(a,b,c){var d=a.abs();if(!(d.t<=0)){var e=this.abs();if(e.t<d.t)null!=b&&b.fromInt(0),null!=c&&this.copyTo(c);else{null==c&&(c=new BigInteger(null));var f=new BigInteger(null),g=this.s,h=a.s,i=this.DB-nbits(d[d.t-1]);i>0?(d.lShiftTo(i,f),e.lShiftTo(i,c)):(d.copyTo(f),e.copyTo(c));var j=f.t,k=f[j-1];if(0!=k){var l=k*(1<<this.F1)+(j>1?f[j-2]>>this.F2:0),m=this.FV/l,n=(1<<this.F1)/l,o=1<<this.F2,p=c.t,q=p-j,r=null==b?new BigInteger(null):b;f.dlShiftTo(q,r);c.compareTo(r)>=0&&(c[c.t++]=1,c.subTo(r,c));nbv(1).dlShiftTo(j,r);for(r.subTo(f,f);f.t<j;)f[f.t++]=0;for(;--q>=0;){var s=c[--p]==k?this.DM:Math.floor(c[p]*m+(c[p-1]+o)*n);if((c[p]+=f.am(0,s,c,q,0,j))<s){f.dlShiftTo(q,r);c.subTo(r,c);for(;c[p]<--s;)c.subTo(r,c)}}null!=b&&(c.drShiftTo(j,b),g!=h&&BigInteger.ZERO.subTo(b,b));c.t=j;c.clamp();i>0&&c.rShiftTo(i,c);g<0&&BigInteger.ZERO.subTo(c,c)}}}}function bnMod(a){var b=new BigInteger(null);this.abs().divRemTo(a,null,b);this.s<0&&b.compareTo(BigInteger.ZERO)>0&&a.subTo(b,b);return b}function Classic(a){this.m=a}function cConvert(a){return a.s<0||a.compareTo(this.m)>=0?a.mod(this.m):a}function cRevert(a){return a}function cReduce(a){a.divRemTo(this.m,null,a)}function cMulTo(a,b,c){a.multiplyTo(b,c);this.reduce(c)}function cSqrTo(a,b){a.squareTo(b);this.reduce(b)}Classic.prototype.convert=cConvert;Classic.prototype.revert=cRevert;Classic.prototype.reduce=cReduce;Classic.prototype.mulTo=cMulTo;Classic.prototype.sqrTo=cSqrTo;function bnpInvDigit(){if(this.t<1)return 0;var a=this[0];if(0==(a&1))return 0;var b=a&3;b=b*(2-(a&15)*b)&15;b=b*(2-(a&255)*b)&255;b=b*(2-((a&65535)*b&65535))&65535;b=b*(2-a*b%this.DV)%this.DV;return b>0?this.DV-b:-b}function Montgomery(a){this.m=a;this.mp=a.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1<<a.DB-15)-1;this.mt2=2*a.t}function montConvert(a){var b=new BigInteger(null);a.abs().dlShiftTo(this.m.t,b);b.divRemTo(this.m,null,b);a.s<0&&b.compareTo(BigInteger.ZERO)>0&&this.m.subTo(b,b);return b}function montRevert(a){var b=new BigInteger(null);a.copyTo(b);this.reduce(b);return b}function montReduce(a){for(;a.t<=this.mt2;)a[a.t++]=0;for(var b=0;b<this.m.t;++b){var c=a[b]&32767,d=c*this.mpl+((c*this.mph+(a[b]>>15)*this.mpl&this.um)<<15)&a.DM;c=b+this.m.t;a[c]+=this.m.am(0,d,a,b,0,this.m.t);for(;a[c]>=a.DV;)a[c]-=a.DV,a[++c]++}a.clamp();a.drShiftTo(this.m.t,a);a.compareTo(this.m)>=0&&a.subTo(this.m,a)}function montSqrTo(a,b){a.squareTo(b);this.reduce(b)}function montMulTo(a,b,c){a.multiplyTo(b,c);this.reduce(c)}Montgomery.prototype.convert=montConvert;Montgomery.prototype.revert=montRevert;Montgomery.prototype.reduce=montReduce;Montgomery.prototype.mulTo=montMulTo;Montgomery.prototype.sqrTo=montSqrTo;function bnpIsEven(){return 0==(this.t>0?this[0]&1:this.s)}function bnpExp(a,b){if(a>4294967295||a<1)return BigInteger.ONE;var c=new BigInteger(null),d=new BigInteger(null),e=b.convert(this),f=nbits(a)-1;for(e.copyTo(c);--f>=0;)if(b.sqrTo(c,d),a&1<<f)b.mulTo(d,e,c);else{var g=c;c=d;d=g}return b.revert(c)}function bnModPowInt(a,b){var c;c=a<256||b.isEven()?new Classic(b):new Montgomery(b);return this.exp(a,c)}BigInteger.prototype.copyTo=bnpCopyTo;BigInteger.prototype.fromInt=bnpFromInt;BigInteger.prototype.fromString=bnpFromString;BigInteger.prototype.clamp=bnpClamp;BigInteger.prototype.dlShiftTo=bnpDLShiftTo;BigInteger.prototype.drShiftTo=bnpDRShiftTo;BigInteger.prototype.lShiftTo=bnpLShiftTo;BigInteger.prototype.rShiftTo=bnpRShiftTo;BigInteger.prototype.subTo=bnpSubTo;BigInteger.prototype.multiplyTo=bnpMultiplyTo;BigInteger.prototype.squareTo=bnpSquareTo;BigInteger.prototype.divRemTo=bnpDivRemTo;BigInteger.prototype.invDigit=bnpInvDigit;BigInteger.prototype.isEven=bnpIsEven;BigInteger.prototype.exp=bnpExp;BigInteger.prototype.toString=bnToString;BigInteger.prototype.negate=bnNegate;BigInteger.prototype.abs=function(){return this.s<0?this.negate():this};BigInteger.prototype.compareTo=bnCompareTo;BigInteger.prototype.bitLength=bnBitLength;BigInteger.prototype.mod=bnMod;BigInteger.prototype.modPowInt=bnModPowInt;BigInteger.ZERO=nbv(0);BigInteger.ONE=nbv(1);
+BigInteger.prototype.fromNumber=function(a,b,c){if("number"==typeof b)if(a<2)this.fromInt(1);else{this.fromNumber(a,c);this.testBit(a-1)||this.bitwiseTo(BigInteger.ONE.shiftLeft(a-1),function(a,b){return a|b},this);this.isEven()&&this.dAddOffset(1,0)}else{c=[];var d=a&7;c.length=(a>>3)+1;b.nextBytes(c);d>0?c[0]&=(1<<d)-1:c[0]=0;this.fromString(c,256)}};
+BigInteger.prototype.bitwiseTo=function(a,b,c){var d,e,f=Math.min(a.t,this.t);for(d=0;d<f;++d)c[d]=b(this[d],a[d]);if(a.t<this.t){e=a.s&this.DM;for(d=f;d<this.t;++d)c[d]=b(this[d],e);c.t=this.t}else{e=this.s&this.DM;for(d=f;d<a.t;++d)c[d]=b(e,a[d]);c.t=a.t}c.s=b(this.s,a.s);c.clamp()};
+BigInteger.prototype.shiftLeft=function(a){var b=new BigInteger(null);a<0?this.rShiftTo(-a,b):this.lShiftTo(a,b);return b};
+BigInteger.prototype.testBit=function(a){var b=Math.floor(a/this.DB);return b>=this.t?0!=this.s:0!=(this[b]&1<<a%this.DB)};
+BigInteger.prototype.dAddOffset=function(a,b){if(0!=a){for(;this.t<=b;)this[this.t++]=0;for(this[b]+=a;this[b]>=this.DV;)this[b]-=this.DV,++b>=this.t&&(this[this.t++]=0),++this[b]}};
+
+// PKCS1 padding
+function pkcs1pad2(s,n){if(n<s.length+11){log("Message too long for RSA","error");return null}var ba=[];var i=s.length-1;while(i>=0&&n>0){var c=s.charCodeAt(i--);if(c<128)ba[--n]=c;else if(c>127&&c<2048)ba[--n]=c&63|128,ba[--n]=c>>6|192;else ba[--n]=c&63|128,ba[--n]=c>>6&63|128,ba[--n]=c>>12|224}ba[--n]=0;var rng={nextBytes:function(x){for(var i=0;i<x.length;++i)x[i]=Math.floor(Math.random()*254)+1}};while(n>2){var x=0;while(x==0)rng.nextBytes([x=0]),x=Math.floor(Math.random()*254)+1;ba[--n]=x}ba[--n]=2;ba[--n]=0;return new BigInteger(ba)}
+
+// RSAKey
+function RSAKey(){this.n=null;this.e=0;this.d=null}
+RSAKey.prototype.setPublic=function(N,E){if(null!=N&&null!=E&&N.length>0&&E.length>0)this.n=new BigInteger(N,16),this.e=parseInt(E,16);};
+RSAKey.prototype.encrypt=function(text){var m=pkcs1pad2(text,(this.n.bitLength()+7)>>3);if(null==m)return null;var c=m.modPowInt(this.e,this.n);if(null==c)return null;var h=c.toString(16);return 0==(h.length&1)?h:"0"+h};
+
+// ---- Scanner Logic ----
+var scanResults = [];
+
+function log(msg, cls) {
+    var el = document.getElementById('log');
+    var span = document.createElement('span');
+    span.className = cls || '';
+    span.textContent = msg + '\n';
+    el.appendChild(span);
+    el.scrollTop = el.scrollHeight;
+}
+
+function clearLog() {
+    document.getElementById('log').innerHTML = '';
+    document.getElementById('results').innerHTML = '';
+    scanResults = [];
+}
+
+function parseIPs() {
+    var raw = document.getElementById('ips').value;
+    return raw.split(/[\n,]+/).map(function(s){ return s.trim(); }).filter(function(s){ return s.length > 0; });
+}
+
+async function fetchWithTimeout(url, opts, timeout) {
+    var controller = new AbortController();
+    var id = setTimeout(function() { controller.abort(); }, timeout || 10000);
+    opts = opts || {};
+    opts.signal = controller.signal;
+    try {
+        var resp = await fetch(url, opts);
+        clearTimeout(id);
+        return resp;
+    } catch(e) {
+        clearTimeout(id);
+        throw e;
+    }
+}
+
+async function scanPhone(ip, user, pass, proto, site) {
+    var base = proto + '://' + ip;
+    var result = { ip: ip, mac: '', serial: '', model: '', firmware: '', site: site, error: '' };
+
+    try {
+        // Step 1: Get login page for RSA keys + JSESSIONID
+        log('  [' + ip + '] Fetching login page...', 'info');
+        var loginResp = await fetchWithTimeout(base + '/');
+        var loginHtml = await loginResp.text();
+
+        var nMatch = loginHtml.match(/g_rsa_n\s*=\s*"([A-Fa-f0-9]+)"/);
+        var eMatch = loginHtml.match(/g_rsa_e\s*=\s*"([A-Fa-f0-9]+)"/);
+        if (!nMatch || !eMatch) {
+            result.error = 'No RSA keys found on login page';
+            log('  [' + ip + '] ' + result.error, 'error');
+            return result;
+        }
+
+        // Get JSESSIONID from cookie (may not be accessible due to httpOnly)
+        // Try to get it from the loginForm iframe instead
+        log('  [' + ip + '] Fetching loginForm for fresh keys...', 'info');
+        var formResp = await fetchWithTimeout(base + '/servlet?m=mod_listener&p=login&q=loginForm&Random=' + Math.random());
+        var formHtml = await formResp.text();
+
+        var fnMatch = formHtml.match(/g_rsa_n\s*=\s*"([A-Fa-f0-9]+)"/);
+        var feMatch = formHtml.match(/g_rsa_e\s*=\s*"([A-Fa-f0-9]+)"/);
+        var rsaN = fnMatch ? fnMatch[1] : nMatch[1];
+        var rsaE = feMatch ? feMatch[1] : eMatch[1];
+
+        log('  [' + ip + '] RSA N: ' + rsaN.substring(0, 30) + '...', 'info');
+
+        // Step 2: Setup encryption (same as YLForm.InitEncrypt)
+        var rsa = new RSAKey();
+        rsa.setPublic(rsaN, rsaE);
+
+        var aesKeyHex = CryptoJS.MD5(Math.random().toString()).toString();
+        var aesIvHex = CryptoJS.MD5(Math.random().toString()).toString();
+        var aesKey = CryptoJS.enc.Hex.parse(aesKeyHex);
+        var aesIv = CryptoJS.enc.Hex.parse(aesIvHex);
+
+        // RSA encrypt the key and IV hex strings
+        var rsakey = rsa.encrypt(aesKeyHex);
+        var rsaiv = rsa.encrypt(aesIvHex);
+
+        // Step 3: Get JSESSIONID from cookies
+        // Since fetch may not give us cookies due to CORS, try to read from document.cookie
+        // or just use empty string
+        var jsessionId = '';
+        var cookieMatch = document.cookie.match(/JSESSIONID=(\w+)/);
+        if (cookieMatch) jsessionId = cookieMatch[1];
+
+        // Step 4: AES encrypt the password
+        var plaintext = Math.random().toString() + ';' + jsessionId + ';' + pass;
+        var encrypted = CryptoJS.AES.encrypt(plaintext, aesKey, {
+            iv: aesIv,
+            mode: CryptoJS.mode.CBC,
+            padding: CryptoJS.pad.ZeroPadding
+        });
+        var pwdEncrypted = encrypted.toString(); // Base64
+
+        // Step 5: POST login
+        log('  [' + ip + '] Logging in...', 'info');
+        var postBody = 'username=' + encodeURIComponent(user) +
+                       '&pwd=' + encodeURIComponent(pwdEncrypted) +
+                       '&rsakey=' + encodeURIComponent(rsakey) +
+                       '&rsaiv=' + encodeURIComponent(rsaiv);
+
+        var loginResult = await fetchWithTimeout(base + '/servlet?m=mod_listener&p=login&q=login', {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: postBody
+        });
+        var loginText = await loginResult.text();
+        log('  [' + ip + '] Login response: ' + loginText.replace(/<[^>]+>/g, '').trim(), 'info');
+
+        if (loginText.indexOf('"done"') < 0 && loginText.indexOf('"DONE"') < 0) {
+            result.error = 'Login failed: ' + loginText.replace(/<[^>]+>/g, '').trim();
+            log('  [' + ip + '] ' + result.error, 'error');
+            return result;
+        }
+
+        log('  [' + ip + '] Login successful!', 'success');
+
+        // Step 6: Fetch status page
+        var statusResp = await fetchWithTimeout(base + '/servlet?m=mod_data&p=status-status&q=load');
+        var statusText = await statusResp.text();
+
+        log('  [' + ip + '] Status response (' + statusText.length + ' chars)', 'info');
+
+        // Try to parse as JSON first
+        try {
+            var jsonMatch = statusText.match(/\{[\s\S]+\}/);
+            if (jsonMatch) {
+                var data = JSON.parse(jsonMatch[0]);
+                log('  [' + ip + '] JSON keys: ' + Object.keys(data).join(', '), 'info');
+                // Try various field names
+                result.mac = data.MAC || data.MacAddress || data.mac || '';
+                result.serial = data.SerialNumber || data.Serial || data.serial || data.Machine_ID || data.MachineID || data.SN || '';
+                result.model = data.ModelName || data.Model || data.model || data.ProductName || '';
+                result.firmware = data.FirmwareVersion || data.Firmware || data.firmware || data.FWVersion || '';
+            }
+        } catch(e) {}
+
+        // Fallback: parse HTML
+        if (!result.serial) {
+            var serialMatch = statusText.match(/(?:serial\s*(?:number)?|machine\s*id|SN)\s*[:=<>\s]+([A-Za-z0-9]+)/i);
+            if (serialMatch) result.serial = serialMatch[1];
+        }
+        if (!result.mac) {
+            var macMatch = statusText.match(/([0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2}[:-][0-9A-Fa-f]{2})/);
+            if (macMatch) result.mac = macMatch[1];
+        }
+        if (!result.model) {
+            var modelMatch = statusText.match(/(?:SIP-)?T\d{2,3}[A-Za-z]?/i);
+            if (modelMatch) result.model = modelMatch[0];
+        }
+
+        // If still no data, save raw for debugging
+        if (!result.serial) {
+            log('  [' + ip + '] Raw status (first 500): ' + statusText.substring(0, 500), 'warn');
+        }
+
+        if (result.serial) {
+            log('  [' + ip + '] Serial: ' + result.serial, 'success');
+        }
+        log('  [' + ip + '] MAC: ' + result.mac + ' Model: ' + result.model + ' FW: ' + result.firmware, 'info');
+
+    } catch(e) {
+        result.error = e.message || e.toString();
+        log('  [' + ip + '] ERROR: ' + result.error, 'error');
+    }
+
+    return result;
+}
+
+async function startScan() {
+    var btn = document.getElementById('scanBtn');
+    btn.disabled = true;
+    btn.textContent = 'Scanning...';
+    scanResults = [];
+
+    var ips = parseIPs();
+    var user = document.getElementById('username').value;
+    var pass = document.getElementById('password').value;
+    var site = document.getElementById('sitename').value;
+    var proto = document.getElementById('protocol').value;
+
+    log('========================================', 'info');
+    log('Starting scan of ' + ips.length + ' phone(s)...', 'info');
+    log('========================================', 'info');
+
+    for (var i = 0; i < ips.length; i++) {
+        log('[' + (i+1) + '/' + ips.length + '] Scanning ' + ips[i] + '...', 'info');
+        var result = await scanPhone(ips[i], user, pass, proto, site);
+        scanResults.push(result);
+        log('', '');
+    }
+
+    log('========================================', 'info');
+    log('Scan complete. ' + scanResults.length + ' phone(s) processed.', 'success');
+    log('========================================', 'info');
+
+    renderResults();
+    btn.disabled = false;
+    btn.textContent = 'Scan Phones';
+}
+
+function renderResults() {
+    var html = '<h2>Results</h2><table><tr><th>IP</th><th>MAC</th><th>Serial (Machine ID)</th><th>Model</th><th>Firmware</th><th>Site</th><th>Status</th></tr>';
+    for (var i = 0; i < scanResults.length; i++) {
+        var r = scanResults[i];
+        var status = r.error ? '<span class="error">' + r.error.substring(0, 50) + '</span>' : '<span class="success">OK</span>';
+        html += '<tr><td>' + r.ip + '</td><td>' + r.mac + '</td><td>' + r.serial + '</td><td>' + r.model + '</td><td>' + r.firmware + '</td><td>' + r.site + '</td><td>' + status + '</td></tr>';
+    }
+    html += '</table>';
+    document.getElementById('results').innerHTML = html;
+}
+
+function exportCSV() {
+    if (scanResults.length === 0) { log('No results to export.', 'warn'); return; }
+    var csv = 'MAC,Serial,Model,FirmwareVersion,IP,SiteName\n';
+    for (var i = 0; i < scanResults.length; i++) {
+        var r = scanResults[i];
+        csv += r.mac + ',' + r.serial + ',' + r.model + ',' + r.firmware + ',' + r.ip + ',' + r.site + '\n';
+    }
+    var blob = new Blob([csv], { type: 'text/csv' });
+    var a = document.createElement('a');
+    a.href = URL.createObjectURL(blob);
+    a.download = 'yealink_inventory.csv';
+    a.click();
+}
+</script>
+</body>
+</html>