A way to disable bootup from SD card

edwin · October 29, 2024, 4:10pm

Hello,

The wago PFC200 has a SD card. I read, about the boot device order.

“7 Boot PFC with custom image “sd.hdimg” on SD-Card
PFC boot device order checks SD-Card slot before internal NAND.”

“PowerOff PFC
Insert SD-Card with custom-image
PowerOn PFC”"

Source: GitHub - WAGO/pfc-firmware-sdk-G2: Firmware SDK for PFC200-G2 family

In the facotory, only the firmware in the controller is allowed to run. Not from the SD card.

Can I disable the bootup from a SD card anywhere?

Thank you,
Newbie.

DR;TL;
For security reasons, I want to disable the SD card.
(No access to SD card at all, if possible. And no bootup from SD card, as a minimum.)
Is it possible? And how can I do it myself?

edwin · October 30, 2024, 7:34am

Addition / Note.

“Restrict access to the control cabinet” is the solution from the PFC100/PFC200 CyberSecurity manual.

Source: mxxxxxxxx__CyberSecurity__0en.pdf; Cyber Security for Controller PFC100/PFC200; Version 1.2.0

"5.2.1.6 Memory Card Slot
The controllers have a memory card slot (1). A potential attacker could start the system from a prepared SD card. As a general rule, as soon as an SD card is installed, the controller boots from the SD card. This allows the data in the internal flash memory to be manipulated or the control application to be interfered with directly. Manipulation is difficult or impossible to detect.

Note
Restrict access to the control cabinet:
Install the controller in a control cabinet and ensure that only a restricted group of persons has access to the control cabinet."

AdamReeve · October 30, 2024, 12:48pm

From the Web-Based Management, go to the Security tab and then the Boot Mode page. From there, you can disable booting from a memory card.

edwin · October 31, 2024, 8:44am

This morning, I tested this solution for the command line. And it woks. No boot up, from the SD card. Thank you.

$ /etc/config-tools/get_boot_mode --force_internal_boot --json
{“force_internal_boot”: “disabled”}

$ /etc/config-tools/config_boot_mode --force_internal_boot enabled

$ /etc/config-tools/get_boot_mode --force_internal_boot --json
{“force_internal_boot”: “enabled”}

Topic		Replies	Views
Mount internal flash when booted from SD-Card Hardware and Linux pfc200 , how-to , linux	3	78	February 7, 2025
SD card problem during firmware update Hardware and Linux	1	428	April 23, 2024
Active System - Internal flash problem Hardware and Linux pfc200	5	701	November 17, 2023
How To: Create a self installing SD Card (aka Magic SD) Hardware and Linux pfc200 , edge-controller	5	2778	May 22, 2025
Wago problems with docker Hardware and Linux pfc200 , docker	2	181	July 31, 2024

A way to disable bootup from SD card

Related topics