diff --git a/extmod/vfs.h b/extmod/vfs.h
index 67d5d9239a33e..699232e56cd87 100644
--- a/extmod/vfs.h
+++ b/extmod/vfs.h
@@ -52,6 +52,8 @@
 #define MP_BLOCKDEV_FLAG_CONCURRENT_WRITE_PROTECTED (0x0020)
 // Bit set when something has claimed the right to mutate the blockdev.
 #define MP_BLOCKDEV_FLAG_LOCKED (0x0040)
+// Ignore write protections. Used to override other flags temporarily.
+#define MP_BLOCKDEV_FLAG_IGNORE_WRITE_PROTECTION (0x0080)
 
 // constants for block protocol ioctl
 #define MP_BLOCKDEV_IOCTL_INIT          (1)
diff --git a/extmod/vfs_fat.c b/extmod/vfs_fat.c
index 5011a820af864..6267452cd32c7 100644
--- a/extmod/vfs_fat.c
+++ b/extmod/vfs_fat.c
@@ -427,13 +427,10 @@ static MP_DEFINE_CONST_FUN_OBJ_2(fat_vfs_statvfs_obj, fat_vfs_statvfs);
 static mp_obj_t vfs_fat_mount(mp_obj_t self_in, mp_obj_t readonly, mp_obj_t mkfs) {
     fs_user_mount_t *self = MP_OBJ_TO_PTR(self_in);
 
-    // Read-only device indicated by writeblocks[0] == MP_OBJ_NULL.
-    // User can specify read-only device by:
-    //  1. readonly=True keyword argument
-    //  2. nonexistent writeblocks method (then writeblocks[0] == MP_OBJ_NULL already)
-    if (mp_obj_is_true(readonly)) {
-        self->blockdev.writeblocks[0] = MP_OBJ_NULL;
-    }
+    // CIRCUITPY-CHANGE: Use MP_BLOCKDEV_FLAG_USB_WRITABLE instead of writeblocks[0] =/!= MP_OBJ_NULL
+    // to specify read-write.
+    // If readonly to Python, it's writable by USB and vice versa.
+    filesystem_set_writable_by_usb(self, mp_obj_is_true(readonly));
 
     // check if we need to make the filesystem
     FRESULT res = (self->blockdev.flags & MP_BLOCKDEV_FLAG_NO_FILESYSTEM) ? FR_NO_FILESYSTEM : FR_OK;
diff --git a/extmod/vfs_fat_diskio.c b/extmod/vfs_fat_diskio.c
index 6f500104d1e86..591da07eb5630 100644
--- a/extmod/vfs_fat_diskio.c
+++ b/extmod/vfs_fat_diskio.c
@@ -43,6 +43,9 @@
 #include "lib/oofatfs/diskio.h"
 #include "extmod/vfs_fat.h"
 
+// CIRCUITPY-CHANGE
+#include "supervisor/filesystem.h"
+
 typedef void *bdev_t;
 static fs_user_mount_t *disk_get_device(void *bdev) {
     return (fs_user_mount_t *)bdev;
@@ -153,7 +156,8 @@ DRESULT disk_ioctl(
             if (ret != mp_const_none && MP_OBJ_SMALL_INT_VALUE(ret) != 0) {
                 // error initialising
                 stat = STA_NOINIT;
-            } else if (vfs->blockdev.writeblocks[0] == MP_OBJ_NULL) {
+                // CIRCUITPY-CHANGE: writability from Python check
+            } else if (!filesystem_is_writable_by_python(vfs)) {
                 stat = STA_PROTECT;
             } else {
                 stat = 0;
diff --git a/main.c b/main.c
index d7f3c7aaf1bce..91687ff2f8bc7 100644
--- a/main.c
+++ b/main.c
@@ -863,6 +863,14 @@ static void __attribute__ ((noinline)) run_boot_py(safe_mode_t safe_mode) {
         boot_output = &boot_text;
         #endif
 
+        // Get the base filesystem.
+        fs_user_mount_t *vfs = filesystem_circuitpy();
+        FATFS *fs = &vfs->fatfs;
+
+        // Allow boot.py access to CIRCUITPY, and allow writes to boot_out.txt.
+        // We can't use the regular flags for this, because they might get modified inside boot.py.
+        filesystem_set_ignore_write_protection(vfs, true);
+
         // Write version info
         mp_printf(&mp_plat_print, "%s\nBoard ID:%s\n", MICROPY_FULL_VERSION_INFO, CIRCUITPY_BOARD_ID);
         #if CIRCUITPY_MICROCONTROLLER && COMMON_HAL_MCU_PROCESSOR_UID_LENGTH > 0
@@ -881,10 +889,6 @@ static void __attribute__ ((noinline)) run_boot_py(safe_mode_t safe_mode) {
 
 
         #ifdef CIRCUITPY_BOOT_OUTPUT_FILE
-        // Get the base filesystem.
-        fs_user_mount_t *vfs = filesystem_circuitpy();
-        FATFS *fs = &vfs->fatfs;
-
         boot_output = NULL;
         #if CIRCUITPY_STATUS_BAR
         supervisor_status_bar_resume();
@@ -906,9 +910,6 @@ static void __attribute__ ((noinline)) run_boot_py(safe_mode_t safe_mode) {
             // in case power is momentary or will fail shortly due to, say a low, battery.
             mp_hal_delay_ms(1000);
 
-            // USB isn't up, so we can write the file.
-            // operating at the oofatfs (f_open) layer means the usb concurrent write permission
-            // is not even checked!
             f_open(fs, &boot_output_file, CIRCUITPY_BOOT_OUTPUT_FILE, FA_WRITE | FA_CREATE_ALWAYS);
             UINT chars_written;
             f_write(&boot_output_file, boot_text.buf, boot_text.len, &chars_written);
@@ -916,6 +917,9 @@ static void __attribute__ ((noinline)) run_boot_py(safe_mode_t safe_mode) {
             filesystem_flush();
         }
         #endif
+
+        // Back to regular filesystem protections.
+        filesystem_set_ignore_write_protection(vfs, false);
     }
 
     cleanup_after_vm(_exec_result.exception);
diff --git a/supervisor/filesystem.h b/supervisor/filesystem.h
index a0445b0510da9..30cd83d443815 100644
--- a/supervisor/filesystem.h
+++ b/supervisor/filesystem.h
@@ -21,6 +21,7 @@ void filesystem_set_internal_writable_by_usb(bool usb_writable);
 void filesystem_set_internal_concurrent_write_protection(bool concurrent_write_protection);
 void filesystem_set_writable_by_usb(fs_user_mount_t *vfs, bool usb_writable);
 void filesystem_set_concurrent_write_protection(fs_user_mount_t *vfs, bool concurrent_write_protection);
+void filesystem_set_ignore_write_protection(fs_user_mount_t *vfs, bool ignore_write_protection);
 
 // Whether user code can modify the filesystem. It doesn't depend on the state
 // of USB. Don't use this for a workflow. In workflows, grab the shared file
diff --git a/supervisor/shared/filesystem.c b/supervisor/shared/filesystem.c
index 24c7f9bffc552..025c9ddbd6de3 100644
--- a/supervisor/shared/filesystem.c
+++ b/supervisor/shared/filesystem.c
@@ -248,12 +248,14 @@ void filesystem_set_writable_by_usb(fs_user_mount_t *vfs, bool usb_writable) {
 
 bool filesystem_is_writable_by_python(fs_user_mount_t *vfs) {
     return ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_CONCURRENT_WRITE_PROTECTED) == 0) ||
-           ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_USB_WRITABLE) == 0);
+           ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_USB_WRITABLE) == 0) ||
+           ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_IGNORE_WRITE_PROTECTION) != 0);
 }
 
 bool filesystem_is_writable_by_usb(fs_user_mount_t *vfs) {
     return ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_CONCURRENT_WRITE_PROTECTED) == 0) ||
-           ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_USB_WRITABLE) != 0);
+           ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_USB_WRITABLE) != 0) ||
+           ((vfs->blockdev.flags & MP_BLOCKDEV_FLAG_IGNORE_WRITE_PROTECTION) != 0);
 }
 
 void filesystem_set_internal_concurrent_write_protection(bool concurrent_write_protection) {
@@ -268,6 +270,14 @@ void filesystem_set_concurrent_write_protection(fs_user_mount_t *vfs, bool concu
     }
 }
 
+void filesystem_set_ignore_write_protection(fs_user_mount_t *vfs, bool ignore_write_protection) {
+    if (ignore_write_protection) {
+        vfs->blockdev.flags |= MP_BLOCKDEV_FLAG_IGNORE_WRITE_PROTECTION;
+    } else {
+        vfs->blockdev.flags &= ~MP_BLOCKDEV_FLAG_IGNORE_WRITE_PROTECTION;
+    }
+}
+
 bool filesystem_present(void) {
     return _circuitpy_vfs.len > 0;
 }
diff --git a/supervisor/shared/usb/usb_msc_flash.c b/supervisor/shared/usb/usb_msc_flash.c
index e4e4801de9c88..febede876bbf5 100644
--- a/supervisor/shared/usb/usb_msc_flash.c
+++ b/supervisor/shared/usb/usb_msc_flash.c
@@ -249,7 +249,7 @@ bool tud_msc_is_writable_cb(uint8_t lun) {
     if (vfs == NULL) {
         return false;
     }
-    if (vfs->blockdev.writeblocks[0] == MP_OBJ_NULL || !filesystem_is_writable_by_usb(vfs)) {
+    if (!filesystem_is_writable_by_usb(vfs)) {
         return false;
     }
     // Lock the blockdev once we say we're writable.