diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b30c1980e97901270776830f513e5ce2ae083190..d109a78e1e32ff61f15c5f86c225c94ccd614f95 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -14,8 +14,9 @@ build:
     arch-test arm64
     env --chdir=reform2-imx8mq ./mkimage.sh
     pigz ./reform2-imx8mq/reform-system.img
-    pigz ./reform2-imx8mq/reform-rescue-system.img
+    env --chdir=reform2-a311d ./mkimage.sh
+    pigz ./reform2-a311d/reform-system.img
   artifacts:
     paths:
       - "reform2-imx8mq/reform-system.img.gz"
-      - "reform2-imx8mq/reform-rescue-system.img.gz"
+      - "reform2-a311d/reform-system.img.gz"
diff --git a/reform2-a311d/README-BOOT.md b/reform2-a311d/README-BOOT.md
new file mode 100644
index 0000000000000000000000000000000000000000..4dc27680d93de8c5ab112d1fa5ff092a597c762c
--- /dev/null
+++ b/reform2-a311d/README-BOOT.md
@@ -0,0 +1,45 @@
+# A311D Bootloader build
+
+## u-boot
+
+```bash
+git clone https://github.com/u-boot/u-boot
+cd u-boot
+export CROSS_COMPILE=aarch64-linux-gnu-
+export ARCH=arm64
+
+cp ../meson-g12b-bananapi-cm4-mnt-reform2.dts arch/arm/dts/
+patch -p1 <../dts-makefile.patch
+cp ../bananapi-cm4-mnt-reform2_defconfig configs/
+
+make bananapi-cm4-mnt-reform2_defconfig
+make -j8
+```
+
+This yields `u-boot.bin`.
+
+## FIP
+
+```bash
+git clone https://github.com/libreelec/amlogic-boot-fip
+cd amlogic-boot-fip
+mkdir mnt-reform2-a311d
+./build-fip.sh bananapi-cm4io ../u-boot/u-boot.bin mnt-reform2-a311d
+```
+
+This yields `mnt-reform2-a311d/u-boot.bin.sd.bin` et al.
+
+## Flash
+
+Replace sdX with target SD card.
+
+```bash
+dd if=mnt-reform2-a311d/u-boot.bin.sd.bin of=/dev/sdX conv=fsync,notrunc bs=512 skip=1 seek=1
+# apparently not needed:
+# dd if=mnt-reform2-a311d/u-boot.bin.sd.bin of=/dev/sdX conv=fsync,notrunc bs=1 count=440
+```
+
+See also:
+
+- https://u-boot.readthedocs.io/en/latest/board/amlogic/bananapi-cm4io.html
+- https://github.com/angerman/meson64-tools
diff --git a/reform2-a311d/boot/bananapi-cm4-mnt-reform2_defconfig b/reform2-a311d/boot/bananapi-cm4-mnt-reform2_defconfig
new file mode 100644
index 0000000000000000000000000000000000000000..35748b733f2e7e0fd96713320d5e8ec6226d5b75
--- /dev/null
+++ b/reform2-a311d/boot/bananapi-cm4-mnt-reform2_defconfig
@@ -0,0 +1,84 @@
+CONFIG_ARM=y
+CONFIG_ARCH_MESON=y
+CONFIG_TEXT_BASE=0x01000000
+CONFIG_NR_DRAM_BANKS=1
+CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y
+CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0x20000000
+CONFIG_ENV_SIZE=0x2000
+CONFIG_DM_GPIO=y
+CONFIG_DEFAULT_DEVICE_TREE="meson-g12b-bananapi-cm4-mnt-reform2"
+CONFIG_OF_LIBFDT_OVERLAY=y
+CONFIG_DM_RESET=y
+CONFIG_MESON_G12A=y
+CONFIG_DEBUG_UART_BASE=0xff803000
+CONFIG_DEBUG_UART_CLOCK=24000000
+CONFIG_IDENT_STRING="bpi-cm4-mnt-reform2"
+CONFIG_SYS_LOAD_ADDR=0x1000000
+CONFIG_PCI=y
+CONFIG_DEBUG_UART=y
+CONFIG_REMAKE_ELF=y
+CONFIG_OF_BOARD_SETUP=y
+# CONFIG_DISPLAY_CPUINFO is not set
+CONFIG_MISC_INIT_R=y
+CONFIG_SYS_MAXARGS=32
+# CONFIG_CMD_BDI is not set
+# CONFIG_CMD_IMI is not set
+CONFIG_CMD_GPIO=y
+# CONFIG_CMD_LOADS is not set
+CONFIG_CMD_MMC=y
+CONFIG_CMD_PCI=y
+CONFIG_CMD_USB=y
+CONFIG_CMD_USB_MASS_STORAGE=y
+# CONFIG_CMD_SETEXPR is not set
+CONFIG_CMD_REGULATOR=y
+CONFIG_OF_CONTROL=y
+CONFIG_SYS_RELOC_GD_ENV_ADDR=y
+CONFIG_ADC=y
+CONFIG_SARADC_MESON=y
+CONFIG_BUTTON=y
+CONFIG_BUTTON_ADC=y
+CONFIG_MMC_MESON_GX=y
+CONFIG_PHY_REALTEK=y
+CONFIG_DM_MDIO=y
+CONFIG_DM_MDIO_MUX=y
+CONFIG_ETH_DESIGNWARE_MESON8B=y
+CONFIG_MDIO_MUX_MESON_G12A=y
+CONFIG_PCIE_DW_MESON=y
+CONFIG_MESON_G12A_USB_PHY=y
+CONFIG_PINCTRL=y
+CONFIG_PINCTRL_MESON_G12A=y
+CONFIG_POWER_DOMAIN=y
+CONFIG_MESON_EE_POWER_DOMAIN=y
+CONFIG_DM_REGULATOR=y
+CONFIG_DM_REGULATOR_FIXED=y
+CONFIG_DEBUG_UART_ANNOUNCE=y
+CONFIG_DEBUG_UART_SKIP_INIT=y
+CONFIG_MESON_SERIAL=y
+CONFIG_SYSINFO=y
+CONFIG_SYSINFO_SMBIOS=y
+CONFIG_USB=y
+CONFIG_DM_USB_GADGET=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_XHCI_DWC3=y
+CONFIG_USB_DWC3=y
+# CONFIG_USB_DWC3_GADGET is not set
+CONFIG_USB_DWC3_MESON_G12A=y
+CONFIG_USB_KEYBOARD=y
+CONFIG_USB_GADGET=y
+CONFIG_USB_GADGET_VENDOR_NUM=0x1b8e
+CONFIG_USB_GADGET_PRODUCT_NUM=0xfada
+CONFIG_USB_GADGET_DWC2_OTG=y
+CONFIG_USB_GADGET_DWC2_OTG_PHY_BUS_WIDTH_8=y
+CONFIG_USB_GADGET_DOWNLOAD=y
+CONFIG_VIDEO=y
+# CONFIG_VIDEO_BPP8 is not set
+# CONFIG_VIDEO_BPP16 is not set
+CONFIG_SYS_WHITE_ON_BLACK=y
+CONFIG_VIDEO_MESON=y
+CONFIG_VIDEO_DT_SIMPLEFB=y
+CONFIG_SPLASH_SCREEN=y
+CONFIG_SPLASH_SCREEN_ALIGN=y
+CONFIG_VIDEO_BMP_RLE8=y
+CONFIG_BMP_16BPP=y
+CONFIG_BMP_24BPP=y
+CONFIG_BMP_32BPP=y
diff --git a/reform2-a311d/boot/dts-makefile.patch b/reform2-a311d/boot/dts-makefile.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8b826eecb8b47037364378ed6d04d8cb58654d1e
--- /dev/null
+++ b/reform2-a311d/boot/dts-makefile.patch
@@ -0,0 +1,12 @@
+diff --git a/arch/arm/dts/Makefile b/arch/arm/dts/Makefile
+index 480269fa60..2801246e53 100644
+--- a/arch/arm/dts/Makefile
++++ b/arch/arm/dts/Makefile
+@@ -213,6 +213,7 @@ dtb-$(CONFIG_ARCH_MESON) += \
+ 	meson-g12b-a311d-bananapi-m2s.dtb \
+ 	meson-g12b-a311d-khadas-vim3.dtb \
+ 	meson-g12b-bananapi-cm4-cm4io.dtb \
++	meson-g12b-bananapi-cm4-mnt-reform2.dtb \
+ 	meson-g12b-gsking-x.dtb \
+ 	meson-g12b-gtking.dtb \
+ 	meson-g12b-gtking-pro.dtb \
diff --git a/reform2-a311d/boot/meson-g12b-bananapi-cm4-mnt-reform2.dts b/reform2-a311d/boot/meson-g12b-bananapi-cm4-mnt-reform2.dts
new file mode 100644
index 0000000000000000000000000000000000000000..ae3fd04b30528ad133571a465901cda7b4ae9f47
--- /dev/null
+++ b/reform2-a311d/boot/meson-g12b-bananapi-cm4-mnt-reform2.dts
@@ -0,0 +1,391 @@
+// SPDX-License-Identifier: (GPL-2.0+ OR MIT)
+/*
+ * Copyright (c) 2023 Neil Armstrong <neil.armstrong@linaro.org>
+ * Copyright 2023 MNT Research GmbH
+ */
+
+/dts-v1/;
+
+#include "meson-g12b-bananapi-cm4.dtsi"
+#include <dt-bindings/input/input.h>
+#include <dt-bindings/leds/common.h>
+#include <dt-bindings/sound/meson-g12a-tohdmitx.h>
+
+/ {
+	model = "MNT Reform 2 with BPI-CM4 Module";
+	compatible = "mntre,reform2-cm4", "bananapi,bpi-cm4", "amlogic,a311d", "amlogic,g12b";
+	chassis-type = "laptop";
+
+	aliases {
+		ethernet0 = &ethmac;
+		i2c0 = &i2c1;
+		i2c1 = &i2c3;
+	};
+
+	hdmi_connector: hdmi-connector {
+		compatible = "hdmi-connector";
+		type = "a";
+
+		port {
+			hdmi_connector_in: endpoint {
+				remote-endpoint = <&hdmi_tx_tmds_out>;
+			};
+		};
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		led-blue {
+			color = <LED_COLOR_ID_BLUE>;
+			function = LED_FUNCTION_STATUS;
+			gpios = <&gpio_ao GPIOAO_7 GPIO_ACTIVE_HIGH>;
+			linux,default-trigger = "heartbeat";
+		};
+
+		led-green {
+			color = <LED_COLOR_ID_GREEN>;
+			function = LED_FUNCTION_STATUS;
+			gpios = <&gpio_ao GPIOAO_2 GPIO_ACTIVE_HIGH>;
+		};
+	};
+
+	sound {
+		compatible = "amlogic,axg-sound-card";
+		model = "MNT-REFORM2-BPI-CM4";
+		audio-widgets = "Headphone", "Headphone Jack",
+					    "Speaker", "External Speaker",
+					    "Microphone", "Mic Jack";
+		audio-aux-devs = <&tdmout_a>, <&tdmout_b>, <&tdmin_b>;
+		audio-routing =	"TDMOUT_A IN 0", "FRDDR_A OUT 0",
+				"TDMOUT_A IN 1", "FRDDR_B OUT 0",
+				"TDMOUT_A IN 2", "FRDDR_C OUT 0",
+				"TDM_A Playback", "TDMOUT_A OUT",
+				"TDMOUT_B IN 0", "FRDDR_A OUT 1",
+				"TDMOUT_B IN 1", "FRDDR_B OUT 1",
+				"TDMOUT_B IN 2", "FRDDR_C OUT 1",
+				"TDM_B Playback", "TDMOUT_B OUT",
+				"TDMIN_B IN 1", "TDM_B Capture",
+				"TDMIN_B IN 4", "TDM_B Loopback",
+				"TODDR_A IN 1", "TDMIN_B OUT",
+				"TODDR_B IN 1", "TDMIN_B OUT",
+				"TODDR_C IN 1", "TDMIN_B OUT",
+				"Headphone Jack", "HP_L",
+				"Headphone Jack", "HP_R",
+				"External Speaker", "SPK_LP",
+				"External Speaker", "SPK_LN",
+				"External Speaker", "SPK_RP",
+				"External Speaker", "SPK_RN",
+				"LINPUT1", "Mic Jack",
+				"Mic Jack", "MICB";
+
+		assigned-clocks = <&clkc CLKID_MPLL2>,
+					<&clkc CLKID_MPLL0>,
+					<&clkc CLKID_MPLL1>;
+		assigned-clock-parents = <0>, <0>, <0>;
+		assigned-clock-rates = <294912000>,
+				       <270950400>,
+				       <393216000>;
+
+		dai-link-0 {
+			sound-dai = <&frddr_a>;
+		};
+
+		dai-link-1 {
+			sound-dai = <&frddr_b>;
+		};
+
+		dai-link-2 {
+			sound-dai = <&frddr_c>;
+		};
+
+		dai-link-3 {
+			sound-dai = <&toddr_a>;
+		};
+
+		dai-link-4 {
+			sound-dai = <&toddr_b>;
+		};
+
+		dai-link-5 {
+			sound-dai = <&toddr_c>;
+		};
+
+		/* 8ch hdmi interface */
+		dai-link-6 {
+			sound-dai = <&tdmif_a>;
+			dai-format = "i2s";
+			dai-tdm-slot-tx-mask-0 = <1 1>;
+			dai-tdm-slot-tx-mask-1 = <1 1>;
+			dai-tdm-slot-tx-mask-2 = <1 1>;
+			dai-tdm-slot-tx-mask-3 = <1 1>;
+			mclk-fs = <256>;
+
+			codec {
+				sound-dai = <&tohdmitx TOHDMITX_I2S_IN_A>;
+			};
+		};
+
+		/* Analog Audio */
+		dai-link-7 {
+			sound-dai = <&tdmif_b>;
+			dai-format = "i2s";
+			dai-tdm-slot-tx-mask-0 = <1 1>;
+			mclk-fs = <256>;
+
+			codec {
+				sound-dai = <&wm8960>;
+			};
+		};
+
+		/* hdmi glue */
+		dai-link-8 {
+			sound-dai = <&tohdmitx TOHDMITX_I2S_OUT>;
+
+			codec {
+				sound-dai = <&hdmi_tx>;
+			};
+		};
+	};
+
+	reg_main_1v8: regulator-main-1v8 {
+		compatible = "regulator-fixed";
+		regulator-name = "1V8";
+		regulator-min-microvolt = <1800000>;
+		regulator-max-microvolt = <1800000>;
+		vin-supply = <&reg_main_3v3>;
+	};
+
+	reg_main_1v2: regulator-main-1v2 {
+		compatible = "regulator-fixed";
+		regulator-name = "1V2";
+		regulator-min-microvolt = <1200000>;
+		regulator-max-microvolt = <1200000>;
+		vin-supply = <&reg_main_5v>;
+	};
+
+	reg_main_3v3: regulator-main-3v3 {
+		compatible = "regulator-fixed";
+		regulator-name = "3V3";
+		regulator-min-microvolt = <3300000>;
+		regulator-max-microvolt = <3300000>;
+	};
+
+	reg_main_5v: regulator-main-5v {
+		compatible = "regulator-fixed";
+		regulator-name = "5V";
+		regulator-min-microvolt = <5000000>;
+		regulator-max-microvolt = <5000000>;
+	};
+
+	reg_main_usb: regulator-main-usb {
+		compatible = "regulator-fixed";
+		regulator-name = "USB_PWR";
+		regulator-min-microvolt = <5000000>;
+		regulator-max-microvolt = <5000000>;
+		vin-supply = <&reg_main_5v>;
+	};
+
+	backlight: backlight {
+		compatible = "pwm-backlight";
+		pwms = <&pwm_AO_ab 0 10000 0>;
+		power-supply = <&reg_main_usb>;
+		enable-gpios = <&gpio 58 GPIO_ACTIVE_HIGH>;
+		brightness-levels = <0 32 64 128 160 200 255>;
+		default-brightness-level = <6>;
+
+		status = "okay";
+	};
+
+	/*panel {
+		compatible = "innolux,n125hce-gn1", "simple-panel";
+		power-supply = <&reg_main_3v3>;
+		backlight = <&backlight>;
+		no-hpd;
+
+		status = "okay";
+
+		port {
+			panel_in: endpoint {
+				remote-endpoint = <&edp_bridge_out>;
+			};
+		};
+	};*/
+
+	clock_12288: clock_12288 {
+		compatible = "fixed-clock";
+		#clock-cells = <0>;
+		clock-frequency = <12288000>;
+	};
+};
+
+/* not yet supported by u-boot */
+
+/*&mipi_analog_dphy {
+	status = "okay";
+};
+
+&mipi_dphy {
+	status = "okay";
+};
+
+&mipi_dsi {
+	status = "okay";
+
+	assigned-clocks = <&clkc CLKID_GP0_PLL>,
+			  <&clkc CLKID_MIPI_DSI_PXCLK_SEL>,
+			  <&clkc CLKID_MIPI_DSI_PXCLK>,
+			  <&clkc CLKID_CTS_ENCL_SEL>,
+			  <&clkc CLKID_VCLK2_SEL>;
+	assigned-clock-parents = <0>,
+				 <&clkc CLKID_GP0_PLL>,
+				 <0>,
+				 <&clkc CLKID_VCLK2_DIV1>,
+				 <&clkc CLKID_GP0_PLL>;
+	assigned-clock-rates = <936000000>,
+			       <0>,
+			       <936000000>,
+			       <0>,
+			       <0>;
+};
+
+&mipi_dsi_panel_port {
+	mipi_dsi_out: endpoint {
+		remote-endpoint = <&edp_bridge_in>;
+	};
+};*/
+
+&cecb_AO {
+	status = "okay";
+};
+
+&ethmac {
+	status = "okay";
+};
+
+&hdmi_tx {
+	status = "okay";
+};
+
+&hdmi_tx_tmds_port {
+	hdmi_tx_tmds_out: endpoint {
+		remote-endpoint = <&hdmi_connector_in>;
+	};
+};
+
+&pwm_AO_ab {
+	pinctrl-names = "default";
+	pinctrl-0 = <&pwm_ao_a_pins>;
+	status = "okay";
+};
+
+&i2c0 {
+	status = "okay";
+};
+
+/*&i2c3 {
+	status = "okay";
+
+	edp_bridge: bridge@2c {
+		compatible = "ti,sn65dsi86";
+		reg = <0x2c>;
+		enable-gpios = <&gpio GPIOX_10 GPIO_ACTIVE_HIGH>; // PIN_24 / GPIO8
+		vccio-supply = <&reg_main_1v8>;
+		vpll-supply = <&reg_main_1v8>;
+		vcca-supply = <&reg_main_1v2>;
+		vcc-supply = <&reg_main_1v2>;
+
+		ports {
+			#address-cells = <1>;
+			#size-cells = <0>;
+
+			port@0 {
+				reg = <0>;
+
+				edp_bridge_in: endpoint {
+					remote-endpoint = <&mipi_dsi_out>;
+				};
+			};
+
+			port@1 {
+				reg = <1>;
+
+				edp_bridge_out: endpoint {
+					remote-endpoint = <&panel_in>;
+				};
+			};
+		};
+	};
+};*/
+
+&i2c2 {
+	status = "okay";
+
+	wm8960: codec@1a {
+		compatible = "wlf,wm8960";
+		reg = <0x1a>;
+		clocks = <&clock_12288>;
+		clock-names = "mclk";
+		#sound-dai-cells = <0>;
+		wlf,shared-lrclk;
+	};
+
+	rtc@68 {
+		compatible = "nxp,pcf8523";
+		reg = <0x68>;
+	};
+};
+
+&pcie {
+	status = "okay";
+};
+
+&sd_emmc_b {
+	status = "okay";
+};
+
+&tdmif_a {
+	status = "okay";
+};
+
+&tdmout_a {
+	status = "okay";
+};
+
+&tdmif_b {
+	pinctrl-0 = <&tdm_b_dout0_pins>, <&tdm_b_fs_pins>, <&tdm_b_sclk_pins>, <&tdm_b_din1_pins>;
+	pinctrl-names = "default";
+
+	assigned-clocks = <&clkc_audio AUD_CLKID_TDM_SCLK_PAD1>,
+			  <&clkc_audio AUD_CLKID_TDM_LRCLK_PAD1>;
+	assigned-clock-parents = <&clkc_audio AUD_CLKID_MST_B_SCLK>,
+				 <&clkc_audio AUD_CLKID_MST_B_LRCLK>;
+	assigned-clock-rates = <0>, <0>;
+};
+
+
+&tdmin_b {
+	status = "okay";
+};
+
+&toddr_a {
+	status = "okay";
+};
+
+&toddr_b {
+	status = "okay";
+};
+
+&toddr_c {
+	status = "okay";
+};
+
+&tohdmitx {
+	status = "okay";
+};
+
+&usb {
+	dr_mode = "host";
+
+	status = "okay";
+};
diff --git a/reform2-a311d/flash.bin b/reform2-a311d/flash.bin
new file mode 100644
index 0000000000000000000000000000000000000000..860d311014bb7a9b63e95e8a6f5bbd44f8e52b0e
Binary files /dev/null and b/reform2-a311d/flash.bin differ
diff --git a/reform2-a311d/mkimage.sh b/reform2-a311d/mkimage.sh
new file mode 100755
index 0000000000000000000000000000000000000000..7a691068b418d82a029f0c7ca23bcfcbcf2ea9cb
--- /dev/null
+++ b/reform2-a311d/mkimage.sh
@@ -0,0 +1,106 @@
+#!/bin/bash
+
+set -x
+set -e
+
+export LC_ALL=C.UTF-8
+
+# make sure build tools are installed
+DEPS="mmdebstrap genext2fs e2fsprogs git mount parted"
+if [ "$(dpkg --print-architecture)" != arm64 ]; then
+	DEPS="$DEPS arch-test qemu-user-static"
+fi
+if [ "$(dpkg-query --showformat '${db:Status-Status}\n' --show $DEPS | sort -u)" != "installed" ]; then
+	echo "Not all dependencies of this script are installed."
+	echo "Run the following command to install them:"
+	echo
+	echo "    sudo apt install $DEPS"
+	exit 1
+fi
+if dpkg --compare-versions "$(dpkg-query --showformat='${Version}\n' --show mmdebstrap)" lt "0.8.4-1"; then
+	echo "mmdebstrap version must be >= 0.8.4-1"
+	exit 1
+fi
+if dpkg --compare-versions "$(dpkg-query --showformat='${Version}\n' --show genext2fs)" lt "1.5.0-2"; then
+	echo "genext2fs version must be >= 1.5.0-2"
+	exit 1
+fi
+
+# if we are in a git repository and if SOURCE_DATE_EPOCH is not set, use the
+# timestamp of the latest git commit
+if [ -z ${SOURCE_DATE_EPOCH+x} ] && git -C . rev-parse 2>/dev/null; then
+	SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)
+else
+	SOURCE_DATE_EPOCH=$(date +%s)
+fi
+export SOURCE_DATE_EPOCH
+
+# /tmp might be too small for the full system, so we set a different TMPDIR
+export TMPDIR="$(pwd)"
+
+# We need a separate partition for /boot for two reasons:
+#
+# 1) To boot encrypted NVMe
+# 2) If we boot a system that is not on the SD-Card (even unencrypted) then we
+#    need to mount the partition containing kernel, initrd and dtb. If /boot is
+#    not in its own partition, then mounting that partition to /boot will
+#    result in the files being in /boot/boot. So we need to create a partition
+#    where kernel, initrd and dtb are at the root of the partition. Otherwise
+#    we cannot upgrade the kernel from the booted system.
+
+# debian-installer chooses 999424 sectors (= 488MB) by default
+BOOTSIZE=488
+ROOTSIZE=4096
+IMGNAME=reform-system.img
+
+# build u-boot
+if [ ! -f flash.bin ]
+then
+    cd boot
+    git clone --depth 1 https://github.com/u-boot/u-boot
+    cd u-boot
+    export CROSS_COMPILE=aarch64-linux-gnu-
+    export ARCH=arm64
+
+    cp ../meson-g12b-bananapi-cm4-mnt-reform2.dts arch/arm/dts/
+    patch -p1 <../dts-makefile.patch
+    cp ../bananapi-cm4-mnt-reform2_defconfig configs/
+
+    make bananapi-cm4-mnt-reform2_defconfig
+    make -j8
+    cd ..
+    # build FIP
+    git clone --depth 1 https://github.com/libreelec/amlogic-boot-fip
+    cd amlogic-boot-fip
+    mkdir mnt-reform2-a311d
+    ./build-fip.sh bananapi-cm4io ../u-boot/u-boot.bin mnt-reform2-a311d
+    cp mnt-reform2-a311d/u-boot.bin.sd.bin ../../flash.bin
+fi
+
+# build the debian userland and configure it
+./mkuserland.sh
+
+# system ---------------------------------------------------------
+
+mmtarfilter --path-exclude='/boot/*' < target-userland.tar \
+	| genext2fs --volume-label reformsdroot --block-size 1024 --size-in-blocks $((ROOTSIZE*1024)) --bytes-per-inode 16384 --tarball - "$IMGNAME"
+fallocate --insert-range --offset=0 --length=$((((BOOTSIZE+4)*1024*1024))) "$IMGNAME"
+mmtarfilter --path-exclude='*' --path-include=/boot --path-include='/boot/*' --strip-components=2 < target-userland.tar \
+	| genext2fs --volume-label reformsdboot --block-size 1024 --size-in-blocks $((BOOTSIZE*1024)) --bytes-per-inode 16384 --tarball - boot.img
+dd if=boot.img of="$IMGNAME" seek=1 bs=4194304 conv=notrunc
+rm boot.img
+truncate --size="+512" "$IMGNAME"
+/sbin/parted -s "$IMGNAME" "mklabel msdos"
+# reproducible disk signature
+printf mntr | dd of="$IMGNAME" seek=440 bs=1 conv=notrunc
+/sbin/parted -s "$IMGNAME" "mkpart primary ext4 4MiB $((BOOTSIZE+4))MiB"
+/sbin/parted -s "$IMGNAME" "mkpart primary ext4 $((BOOTSIZE+4))MiB $((BOOTSIZE+ROOTSIZE+4))MiB"
+/sbin/parted -s "$IMGNAME" print
+
+# install u-boot for A311D
+dd if=./flash.bin of="$IMGNAME" conv=notrunc bs=512 skip=1 seek=1
+
+rm target-userland.tar
+
+echo Reform System Image for BPI-CM4 A311D created: "$IMGNAME", MD5 checksum:
+md5sum "$IMGNAME"
diff --git a/reform2-a311d/mkuserland.sh b/reform2-a311d/mkuserland.sh
new file mode 100755
index 0000000000000000000000000000000000000000..68a240f92bae54faaa0a83eb52f188a2be318007
--- /dev/null
+++ b/reform2-a311d/mkuserland.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+set -x
+
+source ../reform2-common/userland-common.sh
+
+mmdebstrap \
+	--architectures=arm64 \
+	--components=main,non-free-firmware \
+	--variant="minbase" \
+	--verbose \
+	--include="$PKGSGUI $PKGSNET $PKGSADMIN $PKGSUTILS $PKGSMISC firmware-realtek" \
+	--skip=cleanup/reproducible \
+	${comment#setup apt preferences} \
+	--setup-hook='{ echo "Package: *"; echo "Pin: release n=reform, l=reform"; echo "Pin-Priority: 990"; } > "$1"/etc/apt/preferences.d/reform.pref' \
+	${comment#setup flash-kernel} \
+	--essential-hook='mkdir -p "$1"/etc/flash-kernel/ubootenv.d' \
+	--essential-hook='mkdir -p "$1"/etc/flash-kernel/preboot.d' \
+	--essential-hook='echo "MNT Reform 2 with BPI-CM4 Module" > "$1"/etc/flash-kernel/machine' \
+	--essential-hook='{ echo LABEL=reformsdroot / auto errors=remount-ro 0 1; echo LABEL=reformsdboot /boot auto errors=remount-ro 0 1; } > "$1"/etc/fstab' \
+	--essential-hook='{ echo LINUX_KERNEL_CMDLINE=\"console=ttyAML0,115200 console=tty1\"; echo LINUX_KERNEL_CMDLINE_DEFAULTS=\"ro no_console_suspend cma=512M pci=pcie_bus_perf libata.force=noncq nvme_core.default_ps_max_latency_us=0\"; } > "$1"/etc/default/flash-kernel' \
+	${comment#create boot.scr even if host running this uses EFI} \
+	--essential-hook='echo yes > "$1"/etc/flash-kernel/ignore-efi' \
+	${comment#select timezone} \
+	--essential-hook='echo tzdata tzdata/Areas select Europe | chroot "$1" debconf-set-selections' \
+	--essential-hook='echo tzdata tzdata/Zones/Europe select Berlin | chroot "$1" debconf-set-selections' \
+	${comment#select locales} \
+	--essential-hook='echo locales locales/default_environment_locale select en_US.UTF-8 | chroot "$1" debconf-set-selections' \
+	--essential-hook='echo locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8 | chroot "$1" debconf-set-selections' \
+	${comment#set up motd} \
+	--customize-hook='rm -f "$1"/etc/motd' \
+	--customize-hook='ln -s motd-full "$1"/etc/motd' \
+	${comment#provide a copy of u-boot for (re)flashing} \
+	--customize-hook='copy-in flash.bin /boot' \
+	--customize-hook='chown -R root:root "$1"/boot/flash.bin' \
+	${comment#populate root user and skel} \
+	--customize-hook='echo '"'"'if [ "$(whoami)" = "root" ]; then cat /etc/reform-root-help; elif [ -z "$WAYLAND_DISPLAY" ]; then cat /etc/reform-help; fi'"'"' >> "$1"/etc/skel/.profile' \
+	--customize-hook='chroot "$1" sh -c "rsync -Pha /etc/skel/ /root"' \
+	${comment#populate /etc} \
+	--customize-hook='echo reform > "$1"/etc/hostname' \
+	--customize-hook='{ echo 127.0.0.1 localhost reform; echo ::1 localhost ip6-localhost ip6-loopback reform; echo ff02::1 ip6-allnodes; echo ff02::2 ip6-allrouters; } > "$1"/etc/hosts' \
+	${comment#or else EXTRA_GROUPS doesnt work?} \
+	--customize-hook='sed -i "s/^#EXTRA_GROUPS=.*/EXTRA_GROUPS=audio cdrom dip floppy video plugdev netdev/" "$1"/etc/adduser.conf' \
+	--customize-hook='sed -i "s/^#ADD_EXTRA_GROUPS=.*/ADD_EXTRA_GROUPS=1/" "$1"/etc/adduser.conf' \
+	${comment#remove root password -- using `passwd -d root` produces unreproducible output} \
+	--customize-hook='echo "root:root" | chroot "$1" chpasswd' \
+	--customize-hook='chroot "$1" sed -i "s/^root:[^:]\+:/root::/" /etc/shadow' \
+	--customize-hook='rm "$1"/etc/resolv.conf' \
+	--customize-hook='rm "$1"/var/lib/dbus/machine-id' ${comment#gets regenerated by dbus} \
+	unstable target-userland.tar http://deb.debian.org/debian "deb [arch=arm64 trusted=yes] https://mntre.com/reform-debian-repo reform main"
diff --git a/reform2-common/userland-common.sh b/reform2-common/userland-common.sh
new file mode 100755
index 0000000000000000000000000000000000000000..16bfe6198bfd122873d21a60294bdf402a273279
--- /dev/null
+++ b/reform2-common/userland-common.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+export PKGSGUI="xwayland xterm foot sway fonts-inter fonts-noto-color-emoji waybar swayidle swaylock mesa-utils lxpolkit wayland-protocols wofi wireplumber papirus-icon-theme wayfire firedecor libglib2.0-bin gsettings-desktop-schemas gnome-disk-utility gnome-themes-extra-data gnome-icon-theme gnome-settings-daemon gnome-system-monitor firefox grim slurp gedit evince mpv sxiv thunar pavucontrol unicode-data engrampa neverball minetest qt5ct kde-style-breeze python3-gi gir1.2-ayatanaappindicator3-0.1 dunst pkexec synaptic pasystray"
+
+export PKGSNET="iproute2 iptables inetutils-ping ircii elinks isc-dhcp-client netcat-traditional net-tools network-manager network-manager-gnome nfacct ntp ntpdate rsync telnet traceroute wpasupplicant curl wget w3m rfkill ifupdown netbase openssh-client blueman"
+
+export PKGSADMIN="apt apt-utils apt-listbugs apt-file cron cryptsetup lvm2 dbus-bin e2fsprogs fbset init-system-helpers ncdu parted pciutils policykit-1 procps sudo systemd systemd-sysv tmux u-boot-tools screen"
+
+export PKGSUTILS="busybox console-data console-setup cpio file flash-kernel gnupg gpgv htop kbd lm-sensors readline-common usbutils xdg-utils bsdmainutils less nano micro vim alsa-utils dosfstools python3-psutil reform-handbook"
+
+export PKGSMISC="brightnessctl brightness-udev ca-certificates debian-archive-keyring dialog gpm ncurses-term locales bash-completion man-db cryptsetup-initramfs linux-image-arm64 linux-headers-arm64 reform-tools"
diff --git a/reform2-imx8mq/mkimage.sh b/reform2-imx8mq/mkimage.sh
index 6dc7dc111bbfb8713d7c530536442aeed2162311..c9dca811d991ed2ef1a0c68031d85b561b6b8743 100755
--- a/reform2-imx8mq/mkimage.sh
+++ b/reform2-imx8mq/mkimage.sh
@@ -50,79 +50,36 @@ export TMPDIR="$(pwd)"
 
 # debian-installer chooses 999424 sectors (= 488MB) by default
 BOOTSIZE=488
-ROOTSIZE=2048
+ROOTSIZE=4096
+IMGNAME=reform-system.img
 
-# download u-boot v3 from CI
+# download u-boot v3 for imx8mq from CI
 /usr/lib/apt/apt-helper download-file https://source.mnt.re/reform/reform-boundary-uboot/-/jobs/artifacts/2023-07-04/raw/flash.bin\?job\=build flash.bin SHA1:41d2ba5fcc65f26224f7d1afed650e86662cea27
 
 # build the debian userland and configure it
 ./mkuserland.sh
 
-# Rescue System ---------------------------------------------------------
+# system ---------------------------------------------------------
 
 mmtarfilter --path-exclude='/boot/*' < target-userland.tar \
-	| genext2fs --block-size 1024 --size-in-blocks $((ROOTSIZE*1024)) --bytes-per-inode 16384 --tarball - reform-rescue-system.img
-fallocate --insert-range --offset=0 --length=$((((BOOTSIZE+4)*1024*1024))) reform-rescue-system.img
+	| genext2fs --volume-label reformsdroot --block-size 1024 --size-in-blocks $((ROOTSIZE*1024)) --bytes-per-inode 16384 --tarball - "$IMGNAME"
+fallocate --insert-range --offset=0 --length=$((((BOOTSIZE+4)*1024*1024))) "$IMGNAME"
 mmtarfilter --path-exclude='*' --path-include=/boot --path-include='/boot/*' --strip-components=2 < target-userland.tar \
-	| genext2fs --block-size 1024 --size-in-blocks $((BOOTSIZE*1024)) --bytes-per-inode 16384 --tarball - boot.img
-dd if=boot.img of=reform-rescue-system.img seek=1 bs=4194304 conv=notrunc
+	| genext2fs --volume-label reformsdboot --block-size 1024 --size-in-blocks $((BOOTSIZE*1024)) --bytes-per-inode 16384 --tarball - boot.img
+dd if=boot.img of="$IMGNAME" seek=1 bs=4194304 conv=notrunc
 rm boot.img
-truncate --size="+512" reform-rescue-system.img
-/sbin/parted -s reform-rescue-system.img "mklabel msdos"
+truncate --size="+512" "$IMGNAME"
+/sbin/parted -s "$IMGNAME" "mklabel msdos"
 # reproducible disk signature
-printf mntr | dd of=reform-rescue-system.img seek=440 bs=1 conv=notrunc
-/sbin/parted -s reform-rescue-system.img "mkpart primary ext4 4MiB $((BOOTSIZE+4))MiB"
-/sbin/parted -s reform-rescue-system.img "mkpart primary ext4 $((BOOTSIZE+4))MiB $((BOOTSIZE+ROOTSIZE+4))MiB"
-/sbin/parted -s reform-rescue-system.img print
+printf mntr | dd of="$IMGNAME" seek=440 bs=1 conv=notrunc
+/sbin/parted -s "$IMGNAME" "mkpart primary ext4 4MiB $((BOOTSIZE+4))MiB"
+/sbin/parted -s "$IMGNAME" "mkpart primary ext4 $((BOOTSIZE+4))MiB $((BOOTSIZE+ROOTSIZE+4))MiB"
+/sbin/parted -s "$IMGNAME" print
 
 # install u-boot for i.MX8MQ
-dd if=./flash.bin of=reform-rescue-system.img conv=notrunc bs=1k seek=33
-
-echo Reform Rescue System Image created: reform-rescue-system.img
-# Full System -----------------------------------------------------------
-
-# chroot into the userland and add extra applications
-./mkuserland3.sh
-
-ROOTSIZE=9000
-
-if [ $(id -u) -eq 0 ]; then
-	# genext2fs is very slow so if we run this script as root, we give up
-	# on reproducibility in favor of creating the image faster
-	mkdir target-userland
-	tar --directory target-userland --xattrs --xattrs-include='*' --extract --file target-userland-full.tar
-	/sbin/mke2fs -v -L 'MNTREFORMBOOT' -N 0 -E offset=4194304 -d target-userland/boot -t ext2 reform-system.img ${BOOTSIZE}M
-	rm -rf target-userland/boot/*
-	/sbin/mke2fs -v -L 'MNTREFORMROOT' -N 0 -O 64bit -E offset=$(((BOOTSIZE+4)*1024*1024)) -d target-userland -m 5 -r 1 -t ext4 reform-system.img ${ROOTSIZE}M
-	rm -rf target-userland
-else
-	# if we don't run as root, use the slow (but bit-by-bit reproducible)
-	# genext2fs instead
-	mmtarfilter --path-exclude='/boot/*' < target-userland-full.tar \
-		| genext2fs --block-size 1024 --size-in-blocks $((ROOTSIZE*1024)) --bytes-per-inode 16384 --tarball - reform-system.img
-	fallocate --insert-range --offset=0 --length=$((((BOOTSIZE+4)*1024*1024))) reform-system.img
-	mmtarfilter --path-exclude='*' --path-include=/boot --path-include='/boot/*' --strip-components=2 < target-userland-full.tar \
-		| genext2fs --block-size 1024 --size-in-blocks $((BOOTSIZE*1024)) --bytes-per-inode 16384 --tarball - boot.img
-	dd if=boot.img of=reform-system.img seek=1 bs=4194304 conv=notrunc
-	rm boot.img
-fi
-truncate --size="+512" reform-system.img
-/sbin/parted -s reform-system.img "mklabel msdos"
-# reproducible disk signature
-printf mntr | dd of=reform-system.img seek=440 bs=1 conv=notrunc
-/sbin/parted -s reform-system.img "mkpart primary ext4 4MiB $((BOOTSIZE+4))MiB"
-/sbin/parted -s reform-system.img "mkpart primary ext4 $((BOOTSIZE+4))MiB $((BOOTSIZE+ROOTSIZE+4))MiB"
-/sbin/parted -s reform-system.img print
-
-# install u-boot for i.MX8MQ
-dd if=./flash.bin of=reform-system.img conv=notrunc bs=1k seek=33
-rm flash.bin
+dd if=./flash.bin of="$IMGNAME" conv=notrunc bs=1k seek=33
 
 rm target-userland.tar
-rm target-userland-full.tar
-
-echo Reform Full System Image created: reform-system.img
-
-echo The created system images should have the following MD5 checksums:
 
-md5sum reform-rescue-system.img reform-system.img
+echo Reform System Image for i.MX8MQ created: "$IMGNAME", MD5 checksum:
+md5sum "$IMGNAME"
diff --git a/reform2-imx8mq/mkuserland.sh b/reform2-imx8mq/mkuserland.sh
index c3e331307951027a3ba2c39d0f019a30ab9de38e..ad6ad8b643f7b0af4d321b271554f93e10170c83 100755
--- a/reform2-imx8mq/mkuserland.sh
+++ b/reform2-imx8mq/mkuserland.sh
@@ -3,15 +3,7 @@
 set -e
 set -x
 
-PKGSGUI="xwayland xterm xfce4-terminal sway waybar swayidle swaylock mesa-utils lxpolkit wayland-protocols rofi wdisplays"
-
-PKGSNET="iproute2 iptables iputils-ping ircii elinks isc-dhcp-client netcat-traditional net-tools network-manager nfacct ntp ntpdate rsync telnet traceroute wpasupplicant curl wget w3m rfkill ifupdown netbase openssh-client"
-
-PKGSADMIN="apt apt-utils apt-listbugs apt-file cron cryptsetup lvm2 dbus-bin e2fsprogs fbset init-system-helpers ncdu parted pciutils policykit-1 procps sudo systemd systemd-sysv tmux u-boot-tools screen"
-
-PKGSUTILS="busybox console-data console-setup cpio file flash-kernel gnupg gpgv htop kbd lm-sensors readline-common usbutils xdg-utils bsdmainutils less nano micro vim alsa-utils dosfstools python3-psutil"
-
-PKGSMISC="brightnessctl brightness-udev ca-certificates debian-archive-keyring dialog gpm ncurses-term locales bash-completion man-db cryptsetup-initramfs linux-image-arm64 linux-headers-arm64 reform-tools reform-handbook"
+source ../reform2-common/userland-common.sh
 
 mmdebstrap \
 	--architectures=arm64 \
@@ -26,7 +18,7 @@ mmdebstrap \
 	--essential-hook='mkdir -p "$1"/etc/flash-kernel/ubootenv.d' \
 	--essential-hook='mkdir -p "$1"/etc/flash-kernel/preboot.d' \
 	--essential-hook='echo "MNT Reform 2" > "$1"/etc/flash-kernel/machine' \
-	--essential-hook='{ echo /dev/mmcblk1p2 / auto errors=remount-ro 0 1; echo /dev/mmcblk1p1 /boot auto errors=remount-ro 0 1; } > "$1"/etc/fstab' \
+	--essential-hook='{ echo LABEL=reformsdroot / auto errors=remount-ro 0 1; echo LABEL=reformsdboot /boot auto errors=remount-ro 0 1; } > "$1"/etc/fstab' \
 	--essential-hook='{ echo LINUX_KERNEL_CMDLINE=\"console=ttymxc0,115200 console=tty1\"; echo LINUX_KERNEL_CMDLINE_DEFAULTS=\"ro no_console_suspend cma=512M pci=nomsi\"; } > "$1"/etc/default/flash-kernel' \
 	${comment#create boot.scr even if host running this uses EFI} \
 	--essential-hook='echo yes > "$1"/etc/flash-kernel/ignore-efi' \
@@ -36,12 +28,9 @@ mmdebstrap \
 	${comment#select locales} \
 	--essential-hook='echo locales locales/default_environment_locale select en_US.UTF-8 | chroot "$1" debconf-set-selections' \
 	--essential-hook='echo locales locales/locales_to_be_generated multiselect en_US.UTF-8 UTF-8 | chroot "$1" debconf-set-selections' \
-	${comment#initramfs-tools} \
-	--essential-hook='mkdir -p "$1"/etc/initramfs-tools' \
-	--essential-hook='printf "pwm_imx27\nnwl-dsi\nti-sn65dsi86\nimx-dcss\npanel-edp\nmux-mmio\nmxsfb\nusbhid\nimx8mq-interconnect\n" > "$1"/etc/initramfs-tools/modules' \
 	${comment#set up motd} \
 	--customize-hook='rm -f "$1"/etc/motd' \
-	--customize-hook='ln -s motd-rescue "$1"/etc/motd' \
+	--customize-hook='ln -s motd-full "$1"/etc/motd' \
 	${comment#provide a copy of u-boot for (re)flashing} \
 	--customize-hook='copy-in flash.bin /boot' \
 	--customize-hook='chown -R root:root "$1"/boot/flash.bin' \