diff --git a/iiab-install b/iiab-install
index 8a4a18560..261893cf3 100755
--- a/iiab-install
+++ b/iiab-install
@@ -145,40 +145,16 @@ if [ "$STAGE" -lt 2 ] && [ "$1" == "--debug" ]; then
     echo -e "\n'--debug' *ignored* as STAGE (counter) < 2."
 fi
 
-# TEMPORARY: Catch images up to current code to benefit from pre-installed apps
-# Workaround for (web-published) images; will go away later
-# Assumes /etc/iiab/iiab_state.yml is not created until (prior run of) Stage 4 but
-# config_vars2.yml is present with the stage counter altered by pi-gen to be 2.
-if [ -f /etc/iiab/config_vars2.yml ]; then
-    mv /etc/iiab/config_vars2.yml $IIAB_STATE_FILE
-
-# Fix up prior values in state file
-# mongo role improved post image creation
-    if grep -q sugar $IIAB_STATE_FILE && ! grep -q mongodb $IIAB_STATE_FILE; then
-        echo "mongodb_installed: True" >> $IIAB_STATE_FILE
-    fi
-
-# TEMPORARY: another change to account for
-#    sed -i -e 's/pan_bluetooth/bluetooth/' $IIAB_STATE_FILE
-
-    if [ "$STAGE" -eq 2 ]; then
-        echo -e "\nCompleting Stage 3 from IIAB image (starts systemd service iiab-setup-db to run the 'mysql' role)."
-        systemctl start iiab-setup-db
-    fi
-
-    PLAYBOOK="iiab-from-console.yml"    # Stage 4-9 then Network Role
-    ARGS=""    # Removes '--extra-vars reinstall=True' if --reinstall, BUT WHY?
-# The same as --reinstall except Stage 3 is not run as there are no other functional
-# changes in Stage 3 to account for post image creation, once the above is run.
-# reinstall=True would force kiwix to re-download and re-install in commit
-# ce2ec3b0cad76449caf3299003b5d297a3164181
-## End image catch up
-fi
-
+# /etc/iiab/iiab_state.yml is mandatory and must be created here.  Background:
 # Allow iiab-install to read IIAB_STATE_FILE to not repeat installs of previous
 # roles that already completed within the stage.
 if [ ! -f  $IIAB_STATE_FILE ]; then
-    touch $IIAB_STATE_FILE
+    #touch $IIAB_STATE_FILE
+    cat > $IIAB_STATE_FILE << EOF
+# DO *NOT* MANUALLY EDIT THIS, THANKS!
+# IIAB does NOT currently support uninstalling apps/services.
+
+EOF
 fi
 echo -e "\nTRY TO RERUN './iiab-install' IF IT FAILS DUE TO CONNECTIVITY ISSUES ETC!\n"
 
diff --git a/roles/firmware/tasks/install.yml b/roles/firmware/tasks/install.yml
new file mode 100644
index 000000000..bcc7b496d
--- /dev/null
+++ b/roles/firmware/tasks/install.yml
@@ -0,0 +1,26 @@
+# check the timestamps, might want to preserve the old ones
+- name: Backup OS provided Firmware
+  copy:
+    src: "/lib/firmware/brcm/{{ item }}"
+    dest: "/lib/firmware/brcm/{{ item }}.orig"
+  with_items:
+    - brcmfmac43430-sdio.bin
+    - brcmfmac43455-sdio.bin
+    - brcmfmac43455-sdio.clm_blob
+
+# grab the old firmware
+- name: Retrieve older firmware
+  get_url:
+    url: "{{ item.url }}"
+    dest: "{{ item.dest }}"
+  with_items:
+    - { url: 'http://d.iiab.io/packages/brcmfmac43430-sdio.clm_blob_2018-09-11_7.45.98.65', dest: '/lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab' }
+    - { url: 'http://d.iiab.io/packages/brcmfmac43430-sdio.bin_2018-09-11_7.45.98.65', dest: '/lib/firmware/brcm/brcmfmac43430-sdio.bin.iiab' }
+    - { url: 'http://d.iiab.io/packages/brcmfmac43455-sdio.bin_2015-03-01_7.45.18.0_ub19.10.1', dest: '/lib/firmware/brcm/brcmfmac43455-sdio.bin.iiab' }
+    - { url: 'http://d.iiab.io/packages/brcmfmac43455-sdio.clm_blob_2018-02-26_rpi', dest: '/lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.iiab' }
+
+- name: "Add 'firmware_retrieved: True' to {{ iiab_state_file }}"
+  lineinfile:
+    path: "{{ iiab_state_file }}"    # /etc/iiab/iiab_state.yml
+    regexp: '^RPi_firmware_retrieved'
+    line: 'RPi_firmware_retrieved: True'
diff --git a/roles/firmware/tasks/main.yml b/roles/firmware/tasks/main.yml
new file mode 100644
index 000000000..2d493c259
--- /dev/null
+++ b/roles/firmware/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: Include older RPi Firmware
+  include_tasks: install.yml
+  when: RPi_firmware_retrieved is undefined
+
+- name: Install check-firmware service files
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { src: 'fw_warn.sh', dest: '/etc/profile.d/', mode: '0644' }
+    - { src: 'check-firmware.service', dest: '/etc/systemd/system/', mode: '0644' }
+    - { src: 'check-firmware.sh', dest: '/usr/sbin/', mode: '0755' }
+
+- name: Enable and Start check-firmware.service
+  systemd:
+    name: check-firmware.service
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
diff --git a/roles/firmware/templates/check-firmware.service b/roles/firmware/templates/check-firmware.service
new file mode 100644
index 000000000..077e3ab8a
--- /dev/null
+++ b/roles/firmware/templates/check-firmware.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Check Firmware service
+Before=clone-wifi.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/check-firmware.sh
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/roles/firmware/templates/check-firmware.sh b/roles/firmware/templates/check-firmware.sh
new file mode 100644
index 000000000..e83d7756e
--- /dev/null
+++ b/roles/firmware/templates/check-firmware.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+FW_MODE=$(grep wifi_hotspot_capacity_rpi_fix /etc/iiab/local_vars.yml| grep True)
+WARN=0
+DATE=$(date +%F-%T)
+if [ -z "$FW_MODE" ]; then
+    echo "FW marker not found"
+else
+    echo "$FW_MODE"
+    if ! $(diff -q /lib/firmware/brcm/brcmfmac43455-sdio.bin.iiab /lib/firmware/brcm/brcmfmac43455-sdio.bin); then
+        mv /lib/firmware/brcm/brcmfmac43455-sdio.bin /lib/firmware/brcm/brcmfmac43455-sdio.bin.$DATE
+        cp /lib/firmware/brcm/brcmfmac43455-sdio.bin.iiab /lib/firmware/brcm/brcmfmac43455-sdio.bin
+        echo "replacing firmware"
+        WARN=1
+    fi
+    if ! $(diff -q /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.iiab /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob); then
+        mv /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.$DATE
+        cp /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob.iiab /lib/firmware/brcm/brcmfmac43455-sdio.clm_blob
+        echo "replacing firmware"
+        WARN=1
+    fi
+    if ! $(diff -q /lib/firmware/brcm/brcmfmac43430-sdio.bin.iiab /lib/firmware/brcm/brcmfmac43430-sdio.bin); then
+        mv /lib/firmware/brcm/brcmfmac43430-sdio.bin /lib/firmware/brcm/brcmfmac43430-sdio.bin.$DATE
+        cp /lib/firmware/brcm/brcmfmac43430-sdio.bin.iiab /lib/firmware/brcm/brcmfmac43430-sdio.bin
+        cp /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob
+        echo "replacing firmware"
+        WARN=1
+    fi
+    if ! $(diff -q /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob); then
+        mv /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.$DATE
+        cp /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob.iiab /lib/firmware/brcm/brcmfmac43430-sdio.clm_blob
+        echo "replacing firmware"
+        WARN=1
+    fi
+fi
+if [ "$WARN" = "1" ]; then
+    echo -e " \033[31;5mFirmware has been replaced\033[0m"
+    echo -e " \033[31;5mReboot is required to activate\033[0m"
+    touch /.fw_replaced
+    #echo "rebooting..."
+    #reboot
+else
+    echo -e " Firmware check \033[32;5mPASSED\033[0m"
+    if [ -f /.fw_replaced ]; then
+        rm /.fw_replaced
+    fi
+fi
+exit 0
diff --git a/roles/firmware/templates/fw_warn.sh b/roles/firmware/templates/fw_warn.sh
new file mode 100644
index 000000000..c6a6e2bfe
--- /dev/null
+++ b/roles/firmware/templates/fw_warn.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+if [ -f /.fw_replaced ]; then
+    echo -e " \033[31;5mFirmware has been replaced\033[0m"
+    echo -e " \033[31;5mReboot is required to activate\033[0m"
+fi
+
diff --git a/roles/network/tasks/enable_services.yml b/roles/network/tasks/enable_services.yml
index c52809960..1ce2e06bf 100644
--- a/roles/network/tasks/enable_services.yml
+++ b/roles/network/tasks/enable_services.yml
@@ -85,23 +85,22 @@
 #- debug:
 #    var: nd_enabled
 
-#- name: Check if /etc/networkd-dispatcher/routable.d exists
-#  stat:
-#    path: /etc/networkd-dispatcher/routable.d
-#  register: nd_dir
+- name: Check if /etc/networkd-dispatcher/routable.d exists
+  stat:
+    path: /etc/networkd-dispatcher/routable.d
+  register: nd_dir
 
 #- debug:
 #    var: nd_dir
 
-#- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and networkd-dispatcher is enabled, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04)
-#- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04)
-#  template:
-#    src: roles/network/templates/network/dnsmasq.sh.j2
-#    dest: /etc/networkd-dispatcher/routable.d/dnsmasq.sh
-#    mode: 0755
-#    owner: root
-#    group: root
-#  when: dnsmasq_install and dnsmasq_enabled and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance")
+- name: To restart dnsmasq whenever br0 comes up, install /etc/networkd-dispatcher/routable.d/dnsmasq.sh from template (if isn't Appliance, and directory /etc/networkd-dispatcher/routable.d exists, i.e. OS's like Ubuntu 18.04 or later)
+  template:
+    src: roles/network/templates/network/dnsmasq.sh.j2
+    dest: /etc/networkd-dispatcher/routable.d/dnsmasq.sh
+    mode: 0755
+    owner: root
+    group: root
+  when: dnsmasq_install and dnsmasq_enabled and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance")
   #when: dnsmasq_install and dnsmasq_enabled and nd_enabled is defined and nd_enabled.stdout == "enabled" and nd_dir.stat.exists and nd_dir.stat.isdir and (iiab_network_mode != "Appliance")
   #when: dnsmasq_install and dnsmasq_enabled and systemd_out.status.UnitFileState == "enabled" and networkd_dir.stat.exists and networkd_dir.stat.isdir and (iiab_network_mode != "Appliance")
 
diff --git a/roles/network/tasks/main.yml b/roles/network/tasks/main.yml
index 1ffc904d0..35bd3c66d 100644
--- a/roles/network/tasks/main.yml
+++ b/roles/network/tasks/main.yml
@@ -1,3 +1,8 @@
+- name: Select RPi firmware mode
+  include_role:
+    name: firmware
+  when: rpi_model != "none"
+
 - name: detected_network
   include_tasks: detected_network.yml
 
diff --git a/roles/network/templates/hostapd/50-hostapd b/roles/network/templates/hostapd/50-hostapd
index 601f8660a..603f570a8 100644
--- a/roles/network/templates/hostapd/50-hostapd
+++ b/roles/network/templates/hostapd/50-hostapd
@@ -1,3 +1,8 @@
+if [ "$interface" = "br0" ] && [ $if_up = "true" ]; then
+    syslog info "50-iiab IF_UP br0 restarting dnsmasq"
+    sleep 2
+    systemctl --no-block restart dnsmasq
+fi
 
 if [ "$interface" = "wlan0" ]; then
     REASON="$reason"
diff --git a/roles/network/templates/network/dnsmasq.sh.j2 b/roles/network/templates/network/dnsmasq.sh.j2
index 1969f8da5..00df42bf3 100755
--- a/roles/network/templates/network/dnsmasq.sh.j2
+++ b/roles/network/templates/network/dnsmasq.sh.j2
@@ -3,5 +3,5 @@
 if [ "$IFACE" == "{{ iiab_lan_iface }}" ]; then
     echo "Restarting dnsmasq in 5 seconds"
     /bin/sleep 5 && /bin/systemctl --no-block restart dnsmasq.service
-    echo "Restarting dnsmasq"
+    echo "Restarted dnsmasq"
 fi
diff --git a/runrole b/runrole
index cb8189a60..b1615bf43 100755
--- a/runrole
+++ b/runrole
@@ -34,10 +34,21 @@ fi
 #    exit 1
 #fi
 
+# 2020-08-05: yes /etc/iiab/iiab_state.yml is necessary, but we DON'T
+# want to encourage sloppy operators to delete/touch this file.
+#
+# (The iiab_state.yml file should always be created by ./iiab-install,
+# for IIAB's Ansible roles that then auto-populate this file.)
+#
+# FYI ./iiab-network and ./iiab-configure likewise warn operators (IN RED!)
+# if they try to run without the existence of /etc/iiab/iiab_state.yml :
+#
+# ERROR! vars file /etc/iiab/iiab_state.yml was not found
+#
 # Needed for Stages 1-3 if not installed yet
-if [ ! -f $IIAB_STATE_FILE ]; then
-    touch $IIAB_STATE_FILE
-fi
+#if [ ! -f $IIAB_STATE_FILE ]; then
+#    touch $IIAB_STATE_FILE
+#fi
 
 #if ! grep -q $1_install $LOCAL_VARS_FILE; then
 #    echo " $1_install: not found in $VARS"
diff --git a/scripts/iiab-diagnostics b/scripts/iiab-diagnostics
index bb74c0414..683463218 100755
--- a/scripts/iiab-diagnostics
+++ b/scripts/iiab-diagnostics
@@ -234,10 +234,11 @@ read ans < /dev/tty
 echo -e "\e[1m"
 if [ "$ans" == "" ] || [ "$ans" == "y" ] || [ "$ans" == "Y" ]; then
     echo -ne "PUBLISHING TO URL... "
-    pastebinit -b dpaste.com < $outfile    # Run 'pastebinit -l' to list other possible pastebin site URLs
+    #pastebinit -b dpaste.com < $outfile
+    pastebinit -b sprunge.us < $outfile    # Run 'pastebinit -l' to list other possible pastebin site URLs
 else
     echo -e "If you later decide to publish it, run:"
     echo
-    echo -e "   pastebinit -b dpaste.com < $outfile"
+    echo -e "   pastebinit -b sprunge.us < $outfile"
 fi
 echo -e "\e[0m"
diff --git a/scripts/iiab-diagnostics.README.md b/scripts/iiab-diagnostics.README.md
index 4a6c8e318..1a6353ad5 100644
--- a/scripts/iiab-diagnostics.README.md
+++ b/scripts/iiab-diagnostics.README.md
@@ -49,7 +49,7 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things:
    Or, you can later/manually upload it using the ``pastebinit`` command:
 
    ```
-   pastebinit -b dpaste.com < /etc/iiab/diag/NEW-FILE-NAME
+   pastebinit -b sprunge.us < /etc/iiab/diag/NEW-FILE-NAME
    ```
 
    Either way, this will generate an actual web link (URL).
@@ -62,4 +62,4 @@ But first off, the file is compiled by harvesting 1 + 6 kinds of things:
 
 ## Source Code
 
-Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 105-218 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
+Please look over the bottom of [iiab-diagnostics](iiab-diagnostics) (lines 106-218 especially) to learn more about which common IIAB files and commands make this rapid troubleshooting possible.
diff --git a/vars/default_vars.yml b/vars/default_vars.yml
index e2bb37e3c..f7cfa19a8 100644
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@@ -95,7 +95,10 @@ hostapd_secure: False
 hostapd_password: changeme
 hostapd_install: True    # 2020-01-21: this var MIGHT be implemented in future.
 hostapd_enabled: True
-wifi_up_down: True    # Creates a 2nd virtual wifi adapter for upstream WiFi
+wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
+# WiFi hotspots to service 30-to-32 client devices.  Background explanation:
+# https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
+wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot).
 # You can set iiab_gateway_enabled below, to enable "passthrough" to Internet.
 
diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml
index 2b859b4bd..7be6d4ba9 100644
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@@ -46,7 +46,10 @@ host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
-wifi_up_down: True    # Creates a 2nd virtual wifi adapter for upstream WiFi
+wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
+# WiFi hotspots to service 30-to-32 client devices.  Background explanation:
+# https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
+wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot).
 # You can set iiab_gateway_enabled below, to enable "passthrough" to Internet.
 
diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml
index f4f5f7464..9f619aa84 100644
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@@ -46,7 +46,10 @@ host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
-wifi_up_down: True    # Creates a 2nd virtual wifi adapter for upstream WiFi
+wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
+# WiFi hotspots to service 30-to-32 client devices.  Background explanation:
+# https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
+wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot).
 # You can set iiab_gateway_enabled below, to enable "passthrough" to Internet.
 
diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml
index f32591746..cbb15ad7d 100644
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@@ -46,7 +46,10 @@ host_wifi_mode: g
 host_channel: 6
 hostapd_secure: False
 hostapd_password: changeme
-wifi_up_down: True    # Creates a 2nd virtual wifi adapter for upstream WiFi
+wifi_hotspot_capacity_rpi_fix: True    # Restores the ability of RPi internal
+# WiFi hotspots to service 30-to-32 client devices.  Background explanation:
+# https://github.com/iiab/iiab/issues/823#issuecomment-662285202 and PR #2472.
+wifi_up_down: True    # Creates a 2nd virtual WiFi adapter for upstream WiFi
 # (e.g. to Internet) in addition to downstream WiFi (e.g. classroom hotspot).
 # You can set iiab_gateway_enabled below, to enable "passthrough" to Internet.