diff --git a/linux/build/scripts/build-inner.sh b/linux/build/scripts/build-inner.sh
index 6e48dfc..e2a11de 100755
--- a/linux/build/scripts/build-inner.sh
+++ b/linux/build/scripts/build-inner.sh
@@ -217,6 +217,17 @@ post_process_for_reproducibility() {
         -comp xz -b 1M -Xdict-size 100% \
         -no-recovery
 
+    # The squashfs file's mtime is what xorriso's `-update` writes into
+    # the ISO9660 directory record at `-commit` time, OVERRIDING what
+    # `-alter_date_r all` set on the in-memory ISO model. Run #4282
+    # diagnosed exactly this: bytes 205152-205156 of the ISO encoded
+    # the dirrec date for /live/filesystem.squashfs as
+    # `7 23 47 42` (Build A wrote at May 7 23:47:42) vs
+    # `8 0 3 45`   (Build B wrote at May 8 00:03:45).
+    # Touching the source file to the pinned epoch before xorriso reads
+    # it eliminates the wall-clock leak through -update.
+    sudo --non-interactive touch -d "@${SOURCE_DATE_EPOCH}" "${new_sqfs}"
+
     # Substitute the new squashfs into the ISO. xorriso's `-update`
     # rewrites just the named file then re-emits the ISO; -boot_image
     # any keep preserves the existing El Torito + GPT/UEFI bits so the
diff --git a/linux/build/scripts/diagnose-divergence.sh b/linux/build/scripts/diagnose-divergence.sh
index 389d7e5..7f5e708 100755
--- a/linux/build/scripts/diagnose-divergence.sh
+++ b/linux/build/scripts/diagnose-divergence.sh
@@ -227,15 +227,27 @@ if command -v cmp >/dev/null 2>&1; then
         echo "diagnose: first ISO byte difference at offset ${first_diff_byte} (LBA ${lba})"
         # 128-byte window starting 32 bytes before the diff.
         start=$(( first_diff_byte > 32 ? first_diff_byte - 32 : 0 ))
-        if command -v xxd >/dev/null 2>&1; then
-            dd if="${ISO_A}" bs=1 skip="${start}" count=128 2>/dev/null \
-                | xxd > "${REPORT_DIR}/iso-a-around-first-diff.xxd" || true
-            dd if="${ISO_B}" bs=1 skip="${start}" count=128 2>/dev/null \
-                | xxd > "${REPORT_DIR}/iso-b-around-first-diff.xxd" || true
-            diff -u "${REPORT_DIR}/iso-a-around-first-diff.xxd" \
-                    "${REPORT_DIR}/iso-b-around-first-diff.xxd" \
-                > "${REPORT_DIR}/iso-around-first-diff.diff" 2>/dev/null || true
-        fi
+        # Prefer xxd if available, fall back to od (always in coreutils).
+        # silvermetal-builder doesn't ship xxd; run #4282's diagnostic
+        # silently produced no hex window because of that.
+        dump_hex() {
+            local f="$1" out="$2"
+            if command -v xxd >/dev/null 2>&1; then
+                xxd "${f}" > "${out}"
+            else
+                od -A x -t x1z -v "${f}" > "${out}"
+            fi
+        }
+        dd if="${ISO_A}" bs=1 skip="${start}" count=128 2>/dev/null \
+            > "${REPORT_DIR}/_a-window.bin" || true
+        dd if="${ISO_B}" bs=1 skip="${start}" count=128 2>/dev/null \
+            > "${REPORT_DIR}/_b-window.bin" || true
+        dump_hex "${REPORT_DIR}/_a-window.bin" "${REPORT_DIR}/iso-a-around-first-diff.hex" || true
+        dump_hex "${REPORT_DIR}/_b-window.bin" "${REPORT_DIR}/iso-b-around-first-diff.hex" || true
+        rm -f "${REPORT_DIR}/_a-window.bin" "${REPORT_DIR}/_b-window.bin" || true
+        diff -u "${REPORT_DIR}/iso-a-around-first-diff.hex" \
+                "${REPORT_DIR}/iso-b-around-first-diff.hex" \
+            > "${REPORT_DIR}/iso-around-first-diff.diff" 2>/dev/null || true
     fi
 
     # Keep the legacy first-8KB scan around as a quick header view.