diff --git a/patches/openwrt/0123-ar71xx-sysupgrade-improve-CPE-WBS-210-510-validation-add-new-metadata-offset.patch b/patches/openwrt/0123-ar71xx-sysupgrade-improve-CPE-WBS-210-510-validation-add-new-metadata-offset.patch
new file mode 100644
index 00000000..1a99bb56
--- /dev/null
+++ b/patches/openwrt/0123-ar71xx-sysupgrade-improve-CPE-WBS-210-510-validation-add-new-metadata-offset.patch
@@ -0,0 +1,61 @@
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+Date: Tue, 10 Apr 2018 18:06:20 +0200
+Subject: ar71xx: sysupgrade: improve CPE/WBS 210/510 validation, add new metadata offset
+
+Previously, tplink_pharos_check_image() would accept any image with ELF
+magic and only non-printable data in the support-list, as in this case the
+while-read loop would not run at all. Add the new support-list offset and
+ensure an image is only accepted when the model string is actually found.
+
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+
+diff --git a/target/linux/ar71xx/base-files/lib/upgrade/platform.sh b/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
+index e61ebf7c2221fd56bb902f14d96cb25d174718ee..982873b5f533b799f0008c7e43f2405cf65e7d20 100755
+--- a/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
++++ b/target/linux/ar71xx/base-files/lib/upgrade/platform.sh
+@@ -74,6 +74,22 @@ tplink_get_image_boot_size() {
+ 	get_image "$@" | dd bs=4 count=1 skip=37 2>/dev/null | hexdump -v -n 4 -e '1/1 "%02x"'
+ }
+ 
++tplink_pharos_check_support_list() {
++	local image="$1"
++	local offset="$2"
++	local model="$3"
++
++	# Here $image is given to dd directly instead of using get_image;
++	# otherwise the skip will take almost a second (as dd can't seek)
++	dd if="$image" bs=1 skip=$offset count=1024 2>/dev/null | (
++		while IFS= read -r line; do
++			[ "$line" = "$model" ] && exit 0
++		done
++
++		exit 1
++	)
++}
++
+ tplink_pharos_check_image() {
+ 	local magic_long="$(get_magic_long "$1")"
+ 	[ "$magic_long" != "7f454c46" ] && {
+@@ -82,18 +98,10 @@ tplink_pharos_check_image() {
+ 	}
+ 
+ 	local model_string="$(tplink_pharos_get_model_string)"
+-	local line
+-
+-	# Here $1 is given to dd directly instead of get_image as otherwise the skip
+-	# will take almost a second (as dd can't seek then)
+-	#
+-	# This will fail if the image isn't local, but that's fine: as the
+-	# read loop won't be executed at all, it will return true, so the image
+-	# is accepted (loading the first 1.5M of a remote image for this check seems
+-	# a bit extreme)
+-	dd if="$1" bs=1 skip=1511432 count=1024 2>/dev/null | while read line; do
+-		[ "$line" == "$model_string" ] && break
+-	done || {
++
++	# New images have the support list at 7802888, old ones at 1511432
++	tplink_pharos_check_support_list "$1" 7802888 "$model_string" || \
++	tplink_pharos_check_support_list "$1" 1511432 "$model_string" || {
+ 		echo "Unsupported image (model not in support-list)"
+ 		return 1
+ 	}