diff --git a/TODO.md b/TODO.md
index 349c56365..6ca8e1c96 100644
--- a/TODO.md
+++ b/TODO.md
@@ -14,15 +14,6 @@
 - syshud (volume overlay): when casting with `blast`, syshud doesn't react to volume changes
 - moby: after bringing the modem up, powering it down loses *complete* net connectivity (i.e. wlan is gone as well)
 - dissent: if i launch it without net connectivity, it gets stuck at the login, and never tries again
-- moby: kaslr is effectively disabled
-  - `dmesg | grep "KASLR disabled due to lack of seed"`
-  - fix by adding `kaslrseed` to uboot script before `booti`
-    - <https://github.com/armbian/build/pull/4352>
-    - recent u-boot should do this automatically, if DM_RMG=y: <https://patchwork.ozlabs.org/project/uboot/cover/20240618210609.1744727-1-tharvey@gateworks.com/>
-    - this was merged after the v2024.07 merge window
-      but it made it to v2024.10-rc*
-  - i think there's a kernel config option for early entropy also
-    - e.g. EFISTUB + EFI_RNG_PROTOCOL
 - newflash on moby can't play videos
   - "open in browser" works though -- in mpv
 - gnome-maps can't use geoclue *and* openstreetmap at the same time
diff --git a/pkgs/by-name/u-boot-pinephone-pro/package.nix b/pkgs/by-name/u-boot-pinephone-pro/package.nix
index 8427ad908..1d572c326 100644
--- a/pkgs/by-name/u-boot-pinephone-pro/package.nix
+++ b/pkgs/by-name/u-boot-pinephone-pro/package.nix
@@ -5,6 +5,8 @@
 {
   armTrustedFirmwareRK3399,
   buildUBoot,
+  fetchurl,
+  lib,
 }:
 
 (buildUBoot {
@@ -24,10 +26,24 @@
     "u-boot-nodtb.bin"
     "u-boot.sym"
   ];
-}).overrideAttrs (base: {
+}).overrideAttrs (upstream: {
+  # upgrade to a release which includes this patch stack: <https://patchwork.ozlabs.org/project/uboot/cover/20240618210609.1744727-1-tharvey@gateworks.com/>
+  # i.e. 2024.10 or later.
+  # this gets us a security hardening feature: Kernel Address Space Layout Randomization (KASLR),
+  # identified by early linux print statements
+  # - "KASLR enabled" (good)
+  # - "KASLR disabled due to lack of seed" (bad)
+  version = lib.warnIf (lib.versionOlder "2024.10-rc6" upstream.version) "u-boot-pinephone-pro outdated: remove src override" "2024.10-rc6";
+  src = fetchurl {
+    url = "https://ftp.denx.de/pub/u-boot/u-boot-2024.10-rc6.tar.bz2";
+    hash = "sha256-13ma6wYgkJx2MO0/xfy8BGgq/wNMAYYkolhM8EuRQ9s=";
+  };
+
   # default baud rate is 1500000, which is too fast for some USB <-> serial adapters to do
+  # CONFIG_DM_RNG is needed to seed the kernel, and avoid "KASLR disabled due to lack of seed"
   extraConfig = ''
     CONFIG_BAUDRATE=115200
+    CONFIG_DM_RNG=y
   '';
 
   # default layout is:
@@ -44,13 +60,13 @@
   #
   # this offers 63.5 MiB for the kernel.
   # unfortunately, my bloated kernels can be larger than that, so push the addresses back and hope it works:
-  # postPatch = (base.postPatch or "") + ''
+  # postPatch = (upstream.postPatch or "") + ''
   #   substituteInPlace include/configs/rk3399_common.h \
   #     --replace-fail ramdisk_addr_r=0x06000000 ramdisk_addr_r=0x0a000000 \
   #     --replace-fail kernel_comp_addr_r=0x08000000 kernel_comp_addr_r=0x0c000000
   # '';
 
-  env = (base.env or {}) // {
+  env = (upstream.env or {}) // {
     # XXX: RK3399 ships a blob for HDCP (media copy protection) in the trusted firmware.
     #      that can be removed with:
     # `(arm-trusted-firmware.override { unfreeIncludeHDCPBlob = false; }).armTrustedFirmwareRK3399`, if so desired.