diff --git a/Makefile b/Makefile
index bd45960a89..06942a0e51 100644
--- a/Makefile
+++ b/Makefile
@@ -141,8 +141,8 @@ gdb: ## start remote gdb session which connects to the openocd
 ## misc commands:
 
 vendorheader: ## construct default vendor header
-	./tools/build_vendorheader 'db995fe25169d141cab9bbba92baa01f9f2e1ece7df4cb2ac05190f37fcc1f9d:2152f8d19b791d24453242e15f2eab6cb7cffa7b6a5ed30097960e069881db12:22fc297792f0b6ffc0bfcfdb7edb0c0aa14e025a365ec0e342e86e3829cb74b6' 1 0.0 SatoshiLabs assets/satoshilabs_120.toif embed/firmware/vendorheader.bin
-	./tools/binctl embed/firmware/vendorheader.bin -s 1 4141414141414141414141414141414141414141414141414141414141414141
+	./tools/build_vendorheader 'e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351:d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869:772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef' 1 0.0 SatoshiLabs assets/satoshilabs_120.toif embed/firmware/vendorheader.bin
+	./tools/binctl embed/firmware/vendorheader.bin -s 1 4444444444444444444444444444444444444444444444444444444444444444
 
 binctl: ## print info about binary files
 	./tools/binctl $(BOOTLOADER_BUILD_DIR)/bootloader.bin
diff --git a/SConscript.firmware b/SConscript.firmware
index 1c7d4b56a9..944fdb9df7 100644
--- a/SConscript.firmware
+++ b/SConscript.firmware
@@ -434,7 +434,7 @@ program_bin = env.Command(
     source=program_elf,
     action=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
-        '$BINCTL $TARGET -s 1 4141414141414141414141414141414141414141414141414141414141414141',
+        '$BINCTL $TARGET -s 1 4747474747474747474747474747474747474747474747474747474747474747',
     ], )
 
 program0_bin = env.Command(
diff --git a/assets/keys.txt b/assets/keys.txt
deleted file mode 100644
index 963cb07054..0000000000
--- a/assets/keys.txt
+++ /dev/null
@@ -1,14 +0,0 @@
-seckey1: 4141414141414141414141414141414141414141414141414141414141414141
-pubkey1: db995fe25169d141cab9bbba92baa01f9f2e1ece7df4cb2ac05190f37fcc1f9d
-
-seckey2: 4242424242424242424242424242424242424242424242424242424242424242
-pubkey2: 2152f8d19b791d24453242e15f2eab6cb7cffa7b6a5ed30097960e069881db12
-
-seckey3: 4343434343434343434343434343434343434343434343434343434343434343
-pubkey3: 22fc297792f0b6ffc0bfcfdb7edb0c0aa14e025a365ec0e342e86e3829cb74b6
-
-seckey4: 4444444444444444444444444444444444444444444444444444444444444444
-pubkey4: d759793bbc13a2819a827c76adb6fba8a49aee007f49f2d0992d99b825ad2c48
-
-seckey5: 4545454545454545454545454545454545454545454545454545454545454545
-pubkey5: 6355691c178a8ff91007a7478afb955ef7352c63e7b25703984cf78b26e21a56
diff --git a/embed/boardloader/main.c b/embed/boardloader/main.c
index a2953136d4..647461337e 100644
--- a/embed/boardloader/main.c
+++ b/embed/boardloader/main.c
@@ -104,6 +104,14 @@ bool copy_sdcard(void)
     return true;
 }
 
+const uint8_t BOARDLOADER_KEY_M = 1;
+const uint8_t BOARDLOADER_KEY_N = 3;
+static const uint8_t * const BOARDLOADER_KEYS[] = {
+    (const uint8_t *)"\xdb\x99\x5f\xe2\x51\x69\xd1\x41\xca\xb9\xbb\xba\x92\xba\xa0\x1f\x9f\x2e\x1e\xce\x7d\xf4\xcb\x2a\xc0\x51\x90\xf3\x7f\xcc\x1f\x9d",
+    (const uint8_t *)"\x21\x52\xf8\xd1\x9b\x79\x1d\x24\x45\x32\x42\xe1\x5f\x2e\xab\x6c\xb7\xcf\xfa\x7b\x6a\x5e\xd3\x00\x97\x96\x0e\x06\x98\x81\xdb\x12",
+    (const uint8_t *)"\x22\xfc\x29\x77\x92\xf0\xb6\xff\xc0\xbf\xcf\xdb\x7e\xdb\x0c\x0a\xa1\x4e\x02\x5a\x36\x5e\xc0\xe3\x42\xe8\x6e\x38\x29\xcb\x74\xb6",
+};
+
 void check_and_jump(void)
 {
     display_printf("checking bootloader\n");
@@ -117,7 +125,7 @@ void check_and_jump(void)
         return;
     }
 
-    if (image_check_signature((const uint8_t *)BOOTLOADER_START, &hdr, NULL)) {
+    if (image_check_signature((const uint8_t *)BOOTLOADER_START, &hdr, BOARDLOADER_KEY_M, BOARDLOADER_KEY_N, BOARDLOADER_KEYS)) {
         display_printf("valid bootloader signature\n");
         display_printf("JUMP!\n");
         jump_to(BOOTLOADER_START + HEADER_SIZE);
diff --git a/embed/bootloader/main.c b/embed/bootloader/main.c
index 6c4bb1c32c..451c7770ac 100644
--- a/embed/bootloader/main.c
+++ b/embed/bootloader/main.c
@@ -47,6 +47,14 @@ void display_vendor(const uint8_t *vimg, const char *vstr, uint32_t vstr_len, ui
     display_refresh();
 }
 
+const uint8_t BOOTLOADER_KEY_M = 1;
+const uint8_t BOOTLOADER_KEY_N = 3;
+static const uint8_t * const BOOTLOADER_KEYS[] = {
+    (const uint8_t *)"\xd7\x59\x79\x3b\xbc\x13\xa2\x81\x9a\x82\x7c\x76\xad\xb6\xfb\xa8\xa4\x9a\xee\x00\x7f\x49\xf2\xd0\x99\x2d\x99\xb8\x25\xad\x2c\x48",
+    (const uint8_t *)"\x63\x55\x69\x1c\x17\x8a\x8f\xf9\x10\x07\xa7\x47\x8a\xfb\x95\x5e\xf7\x35\x2c\x63\xe7\xb2\x57\x03\x98\x4c\xf7\x8b\x26\xe2\x1a\x56",
+    (const uint8_t *)"\xee\x93\xa4\xf6\x6f\x8d\x16\xb8\x19\xbb\x9b\xeb\x9f\xfc\xcd\xfc\xdc\x14\x12\xe8\x7f\xee\x6a\x32\x4c\x2a\x99\xa1\xe0\xe6\x71\x48",
+};
+
 void check_and_jump(void)
 {
     display_printf("checking vendor header\n");
@@ -59,7 +67,7 @@ void check_and_jump(void)
         return;
     }
 
-    if (vendor_check_signature((const uint8_t *)FIRMWARE_START, &vhdr)) {
+    if (vendor_check_signature((const uint8_t *)FIRMWARE_START, &vhdr, BOOTLOADER_KEY_M, BOOTLOADER_KEY_N, BOOTLOADER_KEYS)) {
         display_printf("valid vendor header signature\n");
     } else {
         display_printf("invalid vendor header signature\n");
@@ -76,7 +84,7 @@ void check_and_jump(void)
         return;
     }
 
-    if (image_check_signature((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen), &hdr, &vhdr)) {
+    if (image_check_signature((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen), &hdr, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub)) {
         display_printf("valid firmware signature\n");
 
         display_vendor(vhdr.vimg, (const char *)vhdr.vstr, vhdr.vstr_len, hdr.version);
diff --git a/embed/trezorhal/image.c b/embed/trezorhal/image.c
index 325b895a21..d60342a569 100644
--- a/embed/trezorhal/image.c
+++ b/embed/trezorhal/image.c
@@ -6,49 +6,27 @@
 #include "common.h"
 #include "image.h"
 
-static const uint8_t * const SATOSHILABS_PUBKEYS[] = {
-    (const uint8_t *)"\xdb\x99\x5f\xe2\x51\x69\xd1\x41\xca\xb9\xbb\xba\x92\xba\xa0\x1f\x9f\x2e\x1e\xce\x7d\xf4\xcb\x2a\xc0\x51\x90\xf3\x7f\xcc\x1f\x9d",
-    (const uint8_t *)"\x21\x52\xf8\xd1\x9b\x79\x1d\x24\x45\x32\x42\xe1\x5f\x2e\xab\x6c\xb7\xcf\xfa\x7b\x6a\x5e\xd3\x00\x97\x96\x0e\x06\x98\x81\xdb\x12",
-    (const uint8_t *)"\x22\xfc\x29\x77\x92\xf0\xb6\xff\xc0\xbf\xcf\xdb\x7e\xdb\x0c\x0a\xa1\x4e\x02\x5a\x36\x5e\xc0\xe3\x42\xe8\x6e\x38\x29\xcb\x74\xb6",
-    (const uint8_t *)"\xd7\x59\x79\x3b\xbc\x13\xa2\x81\x9a\x82\x7c\x76\xad\xb6\xfb\xa8\xa4\x9a\xee\x00\x7f\x49\xf2\xd0\x99\x2d\x99\xb8\x25\xad\x2c\x48",
-    (const uint8_t *)"\x63\x55\x69\x1c\x17\x8a\x8f\xf9\x10\x07\xa7\x47\x8a\xfb\x95\x5e\xf7\x35\x2c\x63\xe7\xb2\x57\x03\x98\x4c\xf7\x8b\x26\xe2\x1a\x56",
-};
-
-static bool compute_pubkey(const vendor_header *vhdr, uint8_t sigmask, ed25519_public_key res)
+static bool compute_pubkey(uint8_t sig_m, uint8_t sig_n, const uint8_t * const *pub, uint8_t sigmask, ed25519_public_key res)
 {
-    uint8_t vsig_m;
-    uint8_t vsig_n;
-    const uint8_t * const *vpub;
+    if (!sig_m || !sig_n) return false;
+    if (sig_m > sig_n) return false;
 
-    if (vhdr) {
-        vsig_m = vhdr->vsig_m;
-        vsig_n = vhdr->vsig_n;
-        vpub = vhdr->vpub;
-    } else {
-        vsig_m = 1;
-        vsig_n = 5;
-        vpub = SATOSHILABS_PUBKEYS;
-    }
+    // discard bits higher than sig_n
+    sigmask &= ((1 << sig_n) - 1);
 
-    if (!vsig_m || !vsig_n) return false;
-    if (vsig_m > vsig_n) return false;
+    // remove if number of set bits in sigmask is not equal to sig_m
+    if (__builtin_popcount(sigmask) != sig_m) return false;
 
-    // discard bits higher than vsig_n
-    sigmask &= ((1 << vsig_n) - 1);
-
-    // remove if number of set bits in sigmask is not equal to vsig_m
-    if (__builtin_popcount(sigmask) != vsig_m) return false;
-
-    ed25519_public_key keys[vsig_m];
+    ed25519_public_key keys[sig_m];
     int j = 0;
-    for (int i = 0; i < vsig_n; i++) {
+    for (int i = 0; i < sig_n; i++) {
         if ((1 << i) & sigmask) {
-            memcpy(keys[j], vpub[i], 32);
+            memcpy(keys[j], pub[i], 32);
             j++;
         }
     }
 
-    return 0 == ed25519_cosi_combine_publickeys(res, keys, vsig_m);
+    return 0 == ed25519_cosi_combine_publickeys(res, keys, sig_m);
 }
 
 bool image_parse_header(const uint8_t *data, uint32_t magic, uint32_t maxsize, image_header *hdr)
@@ -83,7 +61,7 @@ bool image_parse_header(const uint8_t *data, uint32_t magic, uint32_t maxsize, i
     return true;
 }
 
-bool image_check_signature(const uint8_t *data, const image_header *hdr, const vendor_header *vhdr)
+bool image_check_signature(const uint8_t *data, const image_header *hdr, uint8_t key_m, uint8_t key_n, const uint8_t * const *keys)
 {
     uint8_t hash[BLAKE2S_DIGEST_LENGTH];
     BLAKE2S_CTX ctx;
@@ -96,7 +74,7 @@ bool image_check_signature(const uint8_t *data, const image_header *hdr, const v
     blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
 
     ed25519_public_key pub;
-    if (!compute_pubkey(vhdr, hdr->sigmask, pub)) return false;
+    if (!compute_pubkey(key_m, key_n, keys, hdr->sigmask, pub)) return false;
 
     return 0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)hdr->sig);
 }
@@ -149,7 +127,7 @@ bool vendor_parse_header(const uint8_t *data, vendor_header *vhdr)
     return true;
 }
 
-bool vendor_check_signature(const uint8_t *data, const vendor_header *vhdr)
+bool vendor_check_signature(const uint8_t *data, const vendor_header *vhdr, uint8_t key_m, uint8_t key_n, const uint8_t * const *keys)
 {
     uint8_t hash[BLAKE2S_DIGEST_LENGTH];
     BLAKE2S_CTX ctx;
@@ -161,7 +139,7 @@ bool vendor_check_signature(const uint8_t *data, const vendor_header *vhdr)
     blake2s_Final(&ctx, hash, BLAKE2S_DIGEST_LENGTH);
 
     ed25519_public_key pub;
-    if (!compute_pubkey(NULL, vhdr->sigmask, pub)) return false;
+    if (!compute_pubkey(key_m, key_n, keys, vhdr->sigmask, pub)) return false;
 
     return 0 == ed25519_sign_open(hash, BLAKE2S_DIGEST_LENGTH, pub, *(const ed25519_signature *)vhdr->sig);
 }
diff --git a/embed/trezorhal/image.h b/embed/trezorhal/image.h
index 5e4ee4e828..470b4769d1 100644
--- a/embed/trezorhal/image.h
+++ b/embed/trezorhal/image.h
@@ -34,10 +34,10 @@ typedef struct {
 
 bool image_parse_header(const uint8_t *data, uint32_t magic, uint32_t maxsize, image_header *hdr);
 
-bool image_check_signature(const uint8_t *data, const image_header *hdr, const vendor_header *vhdr);
+bool image_check_signature(const uint8_t *data, const image_header *hdr, uint8_t key_m, uint8_t key_n, const uint8_t * const *keys);
 
 bool vendor_parse_header(const uint8_t *data, vendor_header *vhdr);
 
-bool vendor_check_signature(const uint8_t *data, const vendor_header *vhdr);
+bool vendor_check_signature(const uint8_t *data, const vendor_header *vhdr, uint8_t key_m, uint8_t key_n, const uint8_t * const *keys);
 
 #endif
diff --git a/tools/genkeys.py b/tools/genkeys.py
new file mode 100755
index 0000000000..81af47d8f4
--- /dev/null
+++ b/tools/genkeys.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+
+import binascii
+import ed25519
+
+def hex_to_c(s):
+    return '"\\x' + '\\x'.join([s[i:i + 2] for i in range(0, len(s), 2)]) + '"'
+
+for c in 'ABCDEFGHI':
+    print()
+    seckey = c.encode() * 32
+    seckey_hex = binascii.hexlify(seckey).decode()
+    print('seckey', seckey_hex)
+    print('      ', hex_to_c(seckey_hex))
+    sk = ed25519.SigningKey(seckey)
+    pubkey = sk.get_verifying_key().to_bytes()
+    pubkey_hex = binascii.hexlify(pubkey).decode()
+    print('pubkey', pubkey_hex)
+    print('      ', hex_to_c(pubkey_hex))