From 3cd47f85afef632454b0a87a31b23e34ed1fe77f Mon Sep 17 00:00:00 2001
From: tychovrahe <brunam@seznam.cz>
Date: Wed, 23 Nov 2022 16:02:05 +0100
Subject: [PATCH] feat(legacy): qa build for upgrade testing

---
 core/Makefile                                 |   4 +-
 core/SConscript.firmware                      |  17 +-
 .../firmware/bootloaders/bootloader_1.bin     |   1 +
 .../bootloader_T.bin}                         | Bin
 legacy/Makefile.include                       |  12 +
 legacy/bootloader/bootloader.c                |  10 +-
 legacy/bootloader/firmware_sign_dev.py        | 333 ++++++++++++++++++
 legacy/firmware/Makefile                      |  10 +-
 legacy/firmware/bl_check.c                    |  79 ++++-
 legacy/firmware/bl_check_qa.txt               |   1 +
 legacy/firmware/bl_data.py                    |  36 +-
 legacy/firmware/bootloader_qa.dat             | Bin 0 -> 52962 bytes
 legacy/fw_signatures.c                        |  28 +-
 legacy/intermediate_fw/Makefile               |  11 +-
 legacy/intermediate_fw/bootloader_qa.dat      |   1 +
 legacy/memory.c                               |  10 +-
 legacy/script/update_bootloader.py            |  54 ++-
 legacy/setup.c                                |   2 +-
 18 files changed, 565 insertions(+), 44 deletions(-)
 create mode 120000 core/embed/firmware/bootloaders/bootloader_1.bin
 rename core/embed/firmware/{bootloader.bin => bootloaders/bootloader_T.bin} (100%)
 create mode 100644 legacy/bootloader/firmware_sign_dev.py
 create mode 100644 legacy/firmware/bl_check_qa.txt
 create mode 100644 legacy/firmware/bootloader_qa.dat
 create mode 120000 legacy/intermediate_fw/bootloader_qa.dat

diff --git a/core/Makefile b/core/Makefile
index 78ed915e3..9861c6c8e 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -21,9 +21,11 @@ CROSS_PORT_OPTS ?=
 PRODUCTION ?= 0
 PYOPT      ?= 1
 BITCOIN_ONLY ?= 0
+BOOTLOADER_QA ?= 0
 TREZOR_MODEL ?= T
 TREZOR_MEMPERF ?= 0
 ADDRESS_SANITIZER ?= 0
+UI2 ?= 0
 
 # OpenOCD interface default. Alternative: ftdi/olimex-arm-usb-tiny-h
 OPENOCD_INTERFACE ?= stlink
@@ -164,7 +166,7 @@ build_reflash: ## build reflash firmware + reflash image
 	dd if=build/bootloader/bootloader.bin of=$(REFLASH_BUILD_DIR)/sdimage.bin bs=1 seek=49152
 
 build_firmware: templates build_cross ## build firmware with frozen modules
-	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" PYOPT="$(PYOPT)" BITCOIN_ONLY="$(BITCOIN_ONLY)" $(FIRMWARE_BUILD_DIR)/firmware.bin
+	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" PYOPT="$(PYOPT)" BITCOIN_ONLY="$(BITCOIN_ONLY)" BOOTLOADER_QA="$(BOOTLOADER_QA)" $(FIRMWARE_BUILD_DIR)/firmware.bin
 
 build_unix: templates ## build unix port
 	$(SCONS) CFLAGS="$(CFLAGS)" $(UNIX_BUILD_DIR)/trezor-emu-core $(UNIX_PORT_OPTS) TREZOR_MODEL="$(TREZOR_MODEL)" PYOPT="0" BITCOIN_ONLY="$(BITCOIN_ONLY)" TREZOR_EMULATOR_ASAN="$(ADDRESS_SANITIZER)"
diff --git a/core/SConscript.firmware b/core/SConscript.firmware
index 911f74365..023a53965 100644
--- a/core/SConscript.firmware
+++ b/core/SConscript.firmware
@@ -5,10 +5,15 @@ import os
 import tools
 
 BITCOIN_ONLY = ARGUMENTS.get('BITCOIN_ONLY', '0')
+PRODUCTION = ARGUMENTS.get('PRODUCTION', '0')
+BOOTLOADER_QA = ARGUMENTS.get('BOOTLOADER_QA', '0') == '1'
 EVERYTHING = BITCOIN_ONLY != '1'
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
 DMA2D = TREZOR_MODEL in ('T', )
 
+if PRODUCTION != '1' and BOOTLOADER_QA:
+    raise ValueError('Firmware variant for bootloader upgrade testing must be done with PRODUCTION=1')
+
 FEATURE_FLAGS = {
     "RDI": True,
     "SECP256K1_ZKP": True,  # required for trezor.crypto.curve.bip340 (BIP340/Taproot)
@@ -431,7 +436,7 @@ tools.add_font('MONO', FONT_MONO, CPPDEFINES_MOD, SOURCE_MOD)
 
 SOURCE_QSTR = SOURCE_MOD + SOURCE_MICROPYTHON + SOURCE_MICROPYTHON_SPEED
 
-env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s -DPYOPT=%s -DBITCOIN_ONLY=%s' % (ARGUMENTS.get('CFLAGS', ''), ARGUMENTS.get('PRODUCTION', '0'), PYOPT, BITCOIN_ONLY))
+env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s -DPYOPT=%s -DBITCOIN_ONLY=%s' % (ARGUMENTS.get('CFLAGS', ''), PRODUCTION, PYOPT, BITCOIN_ONLY))
 
 tools.configure_board(TREZOR_MODEL, env, CPPDEFINES_MOD, SOURCE_TREZORHAL)
 
@@ -769,12 +774,18 @@ obj_program.extend(
         ' --rename-section .data=.vendorheader,alloc,load,readonly,contents'
         ' $SOURCE $TARGET', ))
 
+
+BOOTLOADER_SUFFIX =  TREZOR_MODEL + ('_QA' if BOOTLOADER_QA else '')
+
 obj_program.extend(
     env.Command(
-        target='embed/firmware/bootloader.o',
-        source='embed/firmware/bootloader.bin',
+        target='embed/firmware/bootloaders/bootloader.o',
+        source=f'embed/firmware/bootloaders/bootloader_{BOOTLOADER_SUFFIX}.bin',
         action='$OBJCOPY -I binary -O elf32-littlearm -B arm'
         ' --rename-section .data=.bootloader'
+        f' --redefine-sym _binary_embed_firmware_bootloaders_bootloader_{BOOTLOADER_SUFFIX}_bin_start=_binary_embed_firmware_bootloader_bin_start'
+        f' --redefine-sym _binary_embed_firmware_bootloaders_bootloader_{BOOTLOADER_SUFFIX}_bin_end=_binary_embed_firmware_bootloader_bin_end'
+        f' --redefine-sym _binary_embed_firmware_bootloaders_bootloader_{BOOTLOADER_SUFFIX}_bin_size=_binary_embed_firmware_bootloader_bin_size'
         ' $SOURCE $TARGET', ))
 
 env.Depends(obj_program, qstr_generated)
diff --git a/core/embed/firmware/bootloaders/bootloader_1.bin b/core/embed/firmware/bootloaders/bootloader_1.bin
new file mode 120000
index 000000000..6a019c96b
--- /dev/null
+++ b/core/embed/firmware/bootloaders/bootloader_1.bin
@@ -0,0 +1 @@
+../../../../legacy/firmware/bootloader.dat
\ No newline at end of file
diff --git a/core/embed/firmware/bootloader.bin b/core/embed/firmware/bootloaders/bootloader_T.bin
similarity index 100%
rename from core/embed/firmware/bootloader.bin
rename to core/embed/firmware/bootloaders/bootloader_T.bin
diff --git a/legacy/Makefile.include b/legacy/Makefile.include
index f7cbd6ec2..20fd6ae9c 100644
--- a/legacy/Makefile.include
+++ b/legacy/Makefile.include
@@ -156,6 +156,18 @@ CPUFLAGS += -DPRODUCTION=1
 $(info PRODUCTION=1)
 endif
 
+BOOTLOADER_QA ?= 0
+ifeq ($(BOOTLOADER_QA), 0)
+CFLAGS   += -DBOOTLOADER_QA=0
+CPUFLAGS += -DBOOTLOADER_QA=0
+$(info BOOTLOADER_QA=0)
+else
+CFLAGS   += -DBOOTLOADER_QA=1
+CPUFLAGS += -DBOOTLOADER_QA=1
+$(info BOOTLOADER_QA=1)
+endif
+
+
 ifeq ($(DEBUG_RNG), 1)
 CFLAGS += -DDEBUG_RNG=1
 else
diff --git a/legacy/bootloader/bootloader.c b/legacy/bootloader/bootloader.c
index 0dfa42c72..66c1d46bb 100644
--- a/legacy/bootloader/bootloader.c
+++ b/legacy/bootloader/bootloader.c
@@ -64,6 +64,7 @@ void show_unplug(const char *line1, const char *line2) {
                "You may now", "unplug your Trezor.", NULL);
 }
 
+#if !BOOTLOADER_QA
 static void show_unofficial_warning(const uint8_t *hash) {
 // On production bootloader, show warning and wait for user
 // to accept or reject it
@@ -93,6 +94,7 @@ static void show_unofficial_warning(const uint8_t *hash) {
   delay(100000000);
 #endif
 }
+#endif
 
 static void __attribute__((noreturn)) load_app(int signed_firmware) {
   // zero out SRAM
@@ -159,12 +161,16 @@ int main(void) {
     uint8_t fingerprint[32] = {0};
     int signed_firmware = signatures_match(hdr, fingerprint);
     if (SIG_OK != signed_firmware) {
+#if BOOTLOADER_QA
+      show_halt("Unsigned firmware", "Won't run on QA device");
+#else
       show_unofficial_warning(fingerprint);
+#endif
     }
-#if !PRODUCTION
+#if !PRODUCTION && !BOOTLOADER_QA && !DEBUG_T1_SIGNATURES
     // try to avoid bricking board SWD debug by accident
     else {
-      show_halt("Official firmware", "Won't flash on debug device");
+      show_halt("Official firmware", "Won't run on debug device");
     }
 #endif
 
diff --git a/legacy/bootloader/firmware_sign_dev.py b/legacy/bootloader/firmware_sign_dev.py
new file mode 100644
index 000000000..af66ce1ee
--- /dev/null
+++ b/legacy/bootloader/firmware_sign_dev.py
@@ -0,0 +1,333 @@
+#!/usr/bin/env python3
+import argparse
+import hashlib
+import struct
+
+import ecdsa
+from ecdsa import BadSignatureError
+
+SLOTS = 3
+
+pubkeys_dev = {
+    1: "042c0b7cf95324a07d05398b240174dc0c2be444d96b159aa6c7f7b1e668680991ae31a9c671a36543f46cea8fce6984608aa316aa0472a7eed08847440218cb2f",
+    2: "04edabbd16b41c8371b92ef2f04c1185b4f03b6dcd52ba9b78d9d7c89c8f2211452c88a66eb8ac3c19a1cc3a3fc6d72506f6fce2025f738d8b55f29f22125eb0a4",
+    3: "04665f660a5052be7a95546a02179058d93d3e08a779734914594346075bb0afd45113948d72cf3dc8f2b70ee02dc1695d051bb0c6da2a914a69045e3277682d3b",
+}
+
+privkeys_dev = {
+    1: "0x4444444444444444444444444444444444444444444444444444444444444444",
+    2: "0x4545454545454545454545454545454545454545454545454545454545454545",
+    3: "0xbfc4bca9c9c228a16639d3503d999a733a439210b64cebe757a4fd03ca46a5c8",
+}
+
+FWHEADER_SIZE = 1024
+SIGNATURES_START = 6 * 4 + 8 + 512
+INDEXES_START = SIGNATURES_START + 3 * 64
+
+INDEXES_START_OLD = len("TRZR") + struct.calcsize("<I")
+SIG_START = INDEXES_START_OLD + SLOTS + 1 + 52
+
+
+def parse_args():
+    parser = argparse.ArgumentParser(
+        description="Commandline tool for signing Trezor firmware."
+    )
+    parser.add_argument("-f", "--file", dest="path", help="Firmware file to modify")
+
+    return parser.parse_args()
+
+
+def pad_to_size(data, size):
+    if len(data) > size:
+        raise ValueError("Chunk too big already")
+    if len(data) == size:
+        return data
+    return data + b"\xFF" * (size - len(data))
+
+
+# see memory.h for details
+
+
+def prepare_hashes(data):
+    # process chunks
+    start = 0
+    end = (64 - 1) * 1024
+    hashes = []
+    for i in range(16):
+        sector = data[start:end]
+        if len(sector) > 0:
+            chunk = pad_to_size(sector, end - start)
+            hashes.append(hashlib.sha256(chunk).digest())
+        else:
+            hashes.append(b"\x00" * 32)
+        start = end
+        end += 64 * 1024
+    return hashes
+
+
+def check_hashes(data):
+    expected_hashes = data[0x20 : 0x20 + 16 * 32]
+    hashes = b""
+    for h in prepare_hashes(data[FWHEADER_SIZE:]):
+        hashes += h
+
+    if expected_hashes == hashes:
+        print("HASHES OK")
+    else:
+        print("HASHES NOT OK")
+
+
+def update_hashes_in_header(data):
+    # Store hashes in the firmware header
+    data = bytearray(data)
+    o = 0
+    for h in prepare_hashes(data[FWHEADER_SIZE:]):
+        data[0x20 + o : 0x20 + o + 32] = h
+        o += 32
+    return bytes(data)
+
+
+def get_header(data, zero_signatures=False):
+    if not zero_signatures:
+        return data[:FWHEADER_SIZE]
+    else:
+        data = bytearray(data[:FWHEADER_SIZE])
+        data[SIGNATURES_START : SIGNATURES_START + 3 * 64 + 3] = b"\x00" * (3 * 64 + 3)
+        return bytes(data)
+
+
+def check_size(data):
+    size = struct.unpack("<L", data[12:16])[0]
+    assert size == len(data) - 1024
+
+
+def check_signatures(data):
+    # Analyses given firmware and prints out
+    # status of included signatures
+
+    indexes = [x for x in data[INDEXES_START : INDEXES_START + SLOTS]]
+
+    to_sign = get_header(data, zero_signatures=True)
+    fingerprint = hashlib.sha256(to_sign).hexdigest()
+
+    print("Firmware fingerprint:", fingerprint)
+
+    used = []
+    for x in range(SLOTS):
+        signature = data[SIGNATURES_START + 64 * x : SIGNATURES_START + 64 * x + 64]
+
+        if indexes[x] == 0:
+            print(f"Slot #{x + 1}", "is empty")
+        else:
+            pubkeys = pubkeys_dev
+            pk = pubkeys[indexes[x]]
+            verify = ecdsa.VerifyingKey.from_string(
+                bytes.fromhex(pk)[1:],
+                curve=ecdsa.curves.SECP256k1,
+                hashfunc=hashlib.sha256,
+            )
+
+            try:
+                verify.verify(signature, to_sign, hashfunc=hashlib.sha256)
+
+                if indexes[x] in used:
+                    print(f"Slot #{x + 1} signature: DUPLICATE", signature.hex())
+                else:
+                    used.append(indexes[x])
+                    print(f"Slot #{x + 1} signature: VALID", signature.hex())
+
+            except Exception:
+                print(f"Slot #{x + 1} signature: INVALID", signature.hex())
+
+
+def modify(data, slot, index, signature):
+    data = bytearray(data)
+    # put index to data
+    data[INDEXES_START + slot - 1] = index
+    # put signature to data
+    data[SIGNATURES_START + 64 * (slot - 1) : SIGNATURES_START + 64 * slot] = signature
+    return bytes(data)
+
+
+def sign(data, slot, secexp):
+    key = ecdsa.SigningKey.from_secret_exponent(
+        secexp=int(secexp, 16),
+        curve=ecdsa.curves.SECP256k1,
+        hashfunc=hashlib.sha256,
+    )
+
+    to_sign = get_header(data, zero_signatures=True)
+
+    # Locate proper index of current signing key
+    pubkey = "04" + key.get_verifying_key().to_string().hex()
+    index = None
+
+    pubkeys = pubkeys_dev
+    for i, pk in pubkeys.items():
+        if pk == pubkey:
+            index = i
+            break
+
+    if index is None:
+        raise Exception("Unable to find private key index. Unknown private key?")
+
+    signature = key.sign_deterministic(to_sign, hashfunc=hashlib.sha256)
+
+    return modify(data, slot, index, signature)
+
+
+def prepare_old(data):
+    # Takes raw OR signed firmware and clean out metadata structure
+    # This produces 'clean' data for signing
+
+    meta = b"TRZR"  # magic
+    if data[:4] == b"TRZR":
+        meta += data[4 : 4 + struct.calcsize("<I")]
+    else:
+        meta += struct.pack("<I", len(data))  # length of the code
+    meta += b"\x00" * SLOTS  # signature index #1-#3
+    meta += b"\x01"  # flags
+    meta += b"\x00" * 52  # reserved
+    meta += b"\x00" * 64 * SLOTS  # signature #1-#3
+
+    if data[:4] == b"TRZR":
+        # Replace existing header
+        out = meta + data[len(meta) :]
+    else:
+        # create data from meta + code
+        out = meta + data
+
+    return out
+
+
+def check_signatures_old(data):
+    # Analyses given firmware and prints out
+    # status of included signatures
+
+    try:
+        indexes = [ord(x) for x in data[INDEXES_START_OLD : INDEXES_START_OLD + SLOTS]]
+    except TypeError:
+        indexes = [x for x in data[INDEXES_START_OLD : INDEXES_START_OLD + SLOTS]]
+
+    to_sign = prepare_old(data)[256:]  # without meta
+    fingerprint = hashlib.sha256(to_sign).hexdigest()
+
+    print("Firmware fingerprint:", fingerprint)
+
+    used = []
+    for x in range(SLOTS):
+        signature = data[SIG_START + 64 * x : SIG_START + 64 * x + 64]
+
+        if indexes[x] == 0:
+            print("Slot #%d" % (x + 1), "is empty")
+        else:
+            pubkeys = pubkeys_dev
+            pk = pubkeys[indexes[x]]
+            verify = ecdsa.VerifyingKey.from_string(
+                bytes.fromhex(pk)[1:],
+                curve=ecdsa.curves.SECP256k1,
+                hashfunc=hashlib.sha256,
+            )
+
+            try:
+                verify.verify(signature, to_sign, hashfunc=hashlib.sha256)
+
+                if indexes[x] in used:
+                    print("Slot #%d signature: DUPLICATE" % (x + 1), signature.hex())
+                else:
+                    used.append(indexes[x])
+                    print("Slot #%d signature: VALID" % (x + 1), signature.hex())
+
+            except BadSignatureError:
+                print("Slot #%d signature: INVALID" % (x + 1), signature.hex())
+
+
+def modify_old(data, slot, index, signature):
+    # Replace signature in data
+
+    # Put index to data
+    data = (
+        data[: INDEXES_START_OLD + slot - 1]
+        + bytes([index])
+        + data[INDEXES_START_OLD + slot :]
+    )
+
+    # Put signature to data
+    data = (
+        data[: SIG_START + 64 * (slot - 1)] + signature + data[SIG_START + 64 * slot :]
+    )
+
+    return data
+
+
+def sign_old(data, slot, secexp):
+    key = ecdsa.SigningKey.from_secret_exponent(
+        secexp=int(secexp, 16),
+        curve=ecdsa.curves.SECP256k1,
+        hashfunc=hashlib.sha256,
+    )
+
+    to_sign = prepare_old(data)[256:]  # without meta
+
+    # Locate proper index of current signing key
+    pubkey = "04" + key.get_verifying_key().to_string().hex()
+    index = None
+
+    pubkeys = pubkeys_dev
+
+    for i, pk in pubkeys.items():
+        if pk == pubkey:
+            index = i
+            break
+
+    if index is None:
+        raise Exception("Unable to find private key index. Unknown private key?")
+
+    signature = key.sign_deterministic(to_sign, hashfunc=hashlib.sha256)
+
+    return modify_old(data, slot, index, signature)
+
+
+def main(args):
+    if not args.path:
+        raise Exception("-f/--file is required")
+
+    data = open(args.path, "rb").read()
+    assert len(data) % 4 == 0
+
+    if data[:4] != b"TRZF":
+        raise Exception("Firmware header expected")
+
+    data = update_hashes_in_header(data)
+
+    print(f"Firmware size {len(data)} bytes")
+
+    check_size(data)
+    check_signatures(data)
+    check_hashes(data)
+
+    data = sign(data, 1, privkeys_dev[1])
+    data = sign(data, 2, privkeys_dev[2])
+    data = sign(data, 3, privkeys_dev[3])
+    check_signatures(data)
+    check_hashes(data)
+
+    fp = open(args.path, "wb")
+    fp.write(data)
+    fp.close()
+
+    data = prepare_old(data)
+    check_signatures_old(data)
+    data = sign_old(data, 1, privkeys_dev[1])
+    data = sign_old(data, 2, privkeys_dev[2])
+    data = sign_old(data, 3, privkeys_dev[3])
+    check_signatures_old(data)
+
+    fp = open(args.path, "wb")
+    fp.write(data)
+    fp.close()
+
+
+if __name__ == "__main__":
+    args = parse_args()
+    main(args)
diff --git a/legacy/firmware/Makefile b/legacy/firmware/Makefile
index d0bca5aa5..755b970d5 100644
--- a/legacy/firmware/Makefile
+++ b/legacy/firmware/Makefile
@@ -173,9 +173,15 @@ endif
 	@printf "  MAKO    $@\n"
 	$(Q)$(PYTHON) ../vendor/trezor-common/tools/cointool.py render $(MAKO_RENDER_FLAG) $@.mako
 
+ifeq ($(BOOTLOADER_QA), 0)
 bl_data.h: bl_data.py bootloader.dat
-	@printf "  PYTHON  bl_data.py\n"
-	$(Q)$(PYTHON) bl_data.py
+	@printf "  PYTHON  bl_data.py bootloader.dat\n"
+	$(Q)$(PYTHON) bl_data.py bootloader.dat
+else
+bl_data.h: bl_data.py bootloader_qa.dat
+	@printf "  PYTHON  bl_data.py bootloader_qa.dat\n"
+	$(Q)$(PYTHON) bl_data.py bootloader_qa.dat
+endif
 
 header.o: version.h
 
diff --git a/legacy/firmware/bl_check.c b/legacy/firmware/bl_check.c
index eeb5eb225..be064b71f 100644
--- a/legacy/firmware/bl_check.c
+++ b/legacy/firmware/bl_check.c
@@ -26,6 +26,81 @@
 #include "memory.h"
 #include "util.h"
 
+#if BOOTLOADER_QA
+static int known_bootloader(int r, const uint8_t *hash) {
+  if (r != 32) return 0;
+  if (0 ==
+      memcmp(hash,
+             "\x1b\xd8\x1c\x0a\x82\x20\x43\x28\xe9\xaf\x7b\xb6\xb1\x6b\x45\x27"
+             "\x81\x31\xcc\x76\x0a\xfa\x9f\xd0\x81\x6e\xc1\xe1\x12\x86\x49\x83",
+             32))
+    return 1;  // 1.3.2
+  if (0 ==
+      memcmp(hash,
+             "\x19\x27\x59\xce\x15\x51\xc4\x21\x03\xcc\x9b\xe8\x4e\x06\x54\x24"
+             "\x68\x8a\x06\xfa\xbb\xe6\xb0\x19\x18\x11\xcd\xbc\x19\x6c\x2f\x1b",
+             32))
+    return 1;  // 1.3.3
+  if (0 ==
+      memcmp(hash,
+             "\x09\x34\x2f\x51\x56\x58\xc1\xe5\x95\x64\x1c\x4f\x8d\xf1\xce\x2b"
+             "\x2b\x6a\x86\x39\x14\x35\x0a\x97\x0d\x6e\x4f\x37\xb1\xd7\xde\x65",
+             32))
+    return 1;  // 1.4.0
+  if (0 ==
+      memcmp(hash,
+             "\x73\x37\xfa\x82\x2b\x62\x90\x50\x49\x3c\x6c\x39\x3a\x9f\x17\x41"
+             "\x75\xe8\x1b\x39\xf3\xb7\x1b\xff\xab\xa2\xb9\x79\x7f\xf1\x0a\x2b",
+             32))
+    return 1;  // 1.5.0
+  if (0 ==
+      memcmp(hash,
+             "\x5c\x8b\x5e\xfc\x8d\x8f\x78\xf3\xa0\x23\x9d\x5f\x90\x95\x4d\xe7"
+             "\xe6\xb5\xb7\x09\xc9\x1c\x3a\xb2\xaa\x14\x6f\x0e\x26\x6e\x70\x60",
+             32))
+    return 1;  // 1.5.1
+  if (0 ==
+      memcmp(hash,
+             "\xec\xbd\x06\xd3\x37\x25\xd5\xa6\xbe\xba\x2b\xe3\xde\xf4\x64\x7e"
+             "\xef\x5d\x7b\xb9\x2b\x0c\x19\x8d\xd2\x89\x47\x3b\xad\xd3\x4c\x97",
+             32))
+    return 1;  // 1.6.0
+  if (0 ==
+      memcmp(hash,
+             "\xec\xca\xff\x24\x34\xdf\x3b\x49\xef\x00\x0c\x0f\x07\x1f\xa5\x60"
+             "\x18\x16\xfa\x19\x56\x0b\x23\xb4\x73\x52\x0e\x68\xc5\x2d\xe5\x7a",
+             32))
+    return 1;  // 1.6.1
+  if (0 ==
+      memcmp(hash,
+             "\xe0\xc7\xfd\xb9\x1a\x14\xcb\x39\xd7\xc1\x43\xff\x70\xd2\x3a\x0b"
+             "\xfb\x0a\xef\xb5\x49\xb6\x15\x0a\xa9\x09\xf8\x35\x0a\xa5\xeb\xa2",
+             32))
+    return 1;  // 1.8.0
+  if (0 ==
+      memcmp(hash,
+             "\xf9\x9f\x49\xf8\xd0\xc3\xfa\x82\xd6\xad\x1e\xf4\xf2\xf2\xd7\x2d"
+             "\x01\xa5\xdc\xa3\x6f\x11\xba\xb9\x13\xbd\xfe\xaf\x84\xb2\x6f\x4a",
+             32))
+    return 1;  // 1.10.0
+  if (0 ==
+      memcmp(hash,
+             "\x8f\x83\x57\x70\x11\x75\xaf\x5c\x1a\xe5\xb9\x6f\x13\x42\x2f\x7f"
+             "\x1a\x52\xed\x96\xcd\xa0\x18\x07\x63\x0e\x0d\x25\x6c\xd9\x18\x78",
+             32))
+    return 1;  // 1.11.0
+  // BEGIN AUTO-GENERATED QA BOOTLOADER ENTRIES (bl_check_qa.txt)
+  if (0 ==
+      memcmp(hash,
+             "\x29\x34\xf3\xd3\xaa\x59\x2b\x34\x49\x6a\x23\xb8\x14\x74\xe2\xc2"
+             "\xf3\xee\x1e\x36\x66\x0b\xf0\x1e\x19\x8a\x65\x15\xc2\x32\xc1\x85",
+             32))
+    return 1;  // 1.12.0 shipped with fw 1.12.0
+  // END AUTO-GENERATED QA BOOTLOADER ENTRIES (bl_check_qa.txt)
+  return 0;
+}
+#endif
+
 #if PRODUCTION
 
 static int known_bootloader(int r, const uint8_t *hash) {
@@ -138,6 +213,8 @@ static int known_bootloader(int r, const uint8_t *hash) {
              "\xe4\xc3\x21\x9c\x9f\x1b\xb3\xa5\x77\x2f\xfd\x60\x9a\xf9\xe8\xe2",
              32))
     return 1;  // 1.11.0 shipped with fw 1.11.1
+  // BEGIN AUTO-GENERATED BOOTLOADER ENTRIES (bl_check.txt)
+  // END AUTO-GENERATED BOOTLOADER ENTRIES (bl_check.txt)
   return 0;
 }
 #endif
@@ -149,7 +226,7 @@ static int known_bootloader(int r, const uint8_t *hash) {
  * @param shutdown_on_replace: if true, shuts down device instead of return
  */
 void check_and_replace_bootloader(bool shutdown_on_replace) {
-#if PRODUCTION
+#if PRODUCTION || BOOTLOADER_QA
   uint8_t hash[32] = {0};
   int r = memory_bootloader_hash(hash);
 
diff --git a/legacy/firmware/bl_check_qa.txt b/legacy/firmware/bl_check_qa.txt
new file mode 100644
index 000000000..77103ab78
--- /dev/null
+++ b/legacy/firmware/bl_check_qa.txt
@@ -0,0 +1 @@
+2934f3d3aa592b34496a23b81474e2c2f3ee1e36660bf01e198a6515c232c185 1.12.0 shipped with fw 1.12.0
diff --git a/legacy/firmware/bl_data.py b/legacy/firmware/bl_data.py
index 6d0207f2b..6a12d614c 100755
--- a/legacy/firmware/bl_data.py
+++ b/legacy/firmware/bl_data.py
@@ -1,7 +1,10 @@
 #!/usr/bin/env python
+import sys
 from hashlib import sha256
 
-fn = "bootloader.dat"
+fn = sys.argv[1]
+
+print("Embedding bootloader", fn)
 
 data = open(fn, "rb").read()
 if len(data) > 32768:
@@ -18,18 +21,19 @@ with open("bl_data.h", "wt") as f:
     f.write(f"static const uint8_t bl_hash[32] = {{{bl_hash}}};\n")
     f.write(f"static const uint8_t bl_data[32768] = {{{bl_data}}};\n")
 
-# make sure the last item listed in known_bootloader function
-# is our bootloader
-with open("bl_check.c", "rt") as f:
-    hashes = []
-    for l in f.readlines():
-        if not len(l) >= 78 or not l.startswith('             "\\x'):
-            continue
-        l = l[14:78]
-        h = ""
-        for i in range(0, len(l), 4):
-            h += l[i + 2 : i + 4]
-        hashes.append(h)
-    check = hashes[-2] + hashes[-1]
-    if check != bh.hex():
-        raise Exception("bootloader hash not listed in bl_check.c")
+if fn != "bootloader_qa.dat":
+    # make sure the last item listed in known_bootloader function
+    # is our bootloader
+    with open("bl_check.c", "rt") as f:
+        hashes = []
+        for l in f.readlines():
+            if not len(l) >= 78 or not l.startswith('             "\\x'):
+                continue
+            l = l[14:78]
+            h = ""
+            for i in range(0, len(l), 4):
+                h += l[i + 2 : i + 4]
+            hashes.append(h)
+        check = hashes[-2] + hashes[-1]
+        if check != bh.hex():
+            raise Exception("bootloader hash not listed in bl_check.c")
diff --git a/legacy/firmware/bootloader_qa.dat b/legacy/firmware/bootloader_qa.dat
new file mode 100644
index 0000000000000000000000000000000000000000..2ddcc7534cb059685967182069d6d501da6dcc5a
GIT binary patch
literal 52962
zcmeIb|8HE$b|+T1`!?BZ66_`^X(*BsZ-0?QksPW?N*YSkmsWS{id1VP>f4OIjNUXw
zanzJFB8TLRsCk+ve^~=YHrUN#H-OjnA{)OAka!ot%Xs~R13M4!zV-UqUU<geVDB?F
zNb*a909pSD`F!eB-Fv%9&dhsp93Xhosj5?_PF0;cb?WQAxA~vG|2zNb`@iFO^i&dl
zP9-PvD)}}XVh^mZTK)z6;9yd~d)Vd(C_x!NrTqU%10^)Z9fMbf1FT)zGbb30p>J-_
z{56CsCN%MT=lbURF1H0FataWm`v^|wQ;r|=<G$-B{5HSc2YH(#AK+Yk&Yc%D>eDJ6
z4<201Lkh5=mnyjc(m_PsbXUMmQy1t!K#~9Sw<yiu{N_LX-e8ULx_&jMvLpUr;|;{L
zgz*WVDOsk%dF@la=O?qt<IMjS9H2~&9(n+km(ZO~0jb5~@QIy{GY7GwBmvaTj?1Z9
zYQA&ML2LppQ5(=T-z!Poq%+r>aQoo^6j(qH=Vg`LgabwVRh6Vr>00{j!3MKSLETqI
zd=?}SmXY7;11bNhViyD2YTnj>&Symsx)p?y(-q;uQnVzXIBKrV@ksBi!2=97+Tn`~
zDxbV8ROL{W?U(oa5|2%_%?<boL|9K0ZXnW9Pte*1+RC)dj&-G)>gtNr#d-$(lvX;>
zHt3u}+6GeuBL>an0UV{>O$sDI4t7v+?rI<jb4sg$0GK;$8?jq(bG80D@heTKrk|MQ
zA`2{6;4wA@=laYrOv=caFTUG$n%E)IJ|&hN@y=dmOy|j#yjdN)0}81EL%E~c7)YVf
zR^d)+br_x#HJ3e8W=|iVKVb&^I$}kuHQ?l+tW)z-hJ!Ko*r-1_KWS))0;mf>u4pur
zJUh@3QWC*^;+G^&5lV0>J9as#8%tfPY`-_6o5Dd&We8|FRX&xy=M{AFVJ7GEmk)x%
zqC6eXUY;`X0mMnydP8^;E(Hr<CDsBmz{!(`i~B754P7>^B=7GF%GNyo9&2bG$F=~6
zhkza$_kgF9Yg|K}<iGiE&M+RBamNQL*$2n@3zL?oT!%UVH~hycnMc|L+zGgIa5Xsg
ze+Hd2*kBjg;T6vzlBIG=c^dg6xKu5kBgM&<@}3@I?;*x{hB<AE*%CSdnmct6s@d@p
z9V*FISrd2tQkFRe8$Iwv0_K~8V?NrH8VO6dR2x{yQ=x#aVk&<=+jB@_sbYtryQ~zD
zT*znFO=@>>)1)R$YMTkuMU`DPX_*Ddxo2U*<ZCxv9VSefu+xM+Mai*u;nVzz$#Wnx
zk`-#NN!_=wn(sHM2bt5P_nGuJOgONR$#)q(FT&Sv(gznDBWXV49hx+y>^G@H3sUQ_
ziDylyI}S+&6F+3a!x`ZZ<vBu%DRnf{V+?UTLOtsBnuT!0lrm<*H^~K<F!5tviLz!r
zJ@^um2){HUDCbM|xwRekx&t=`7xM@5FA#E3F~tGHk^sABHN9r|m$EXCwOS8YQhKOm
z8rK`WpT-d%SldAyD+}#7DhuVH6X-=?8b`VZuOU{PG7Hb1+HR73n|ZY;KmaLY%H0`G
za9S`)fZx5agNUGiGbydE!m(l{<$Tjwi!S5TwLplmKiFp59}yi;%m;8}ru)nP2_C@l
zSaiCnXh{)2mQDKP=j0g6#y#Rwa0~%IMvXrRYUBzDxa8L^T@_UPAq0aBTAWNG(+#1k
z1$9J?(Pl}1qzdXyPKb=07|NaUnJ)^1h|pMP;2KD8=*e!Hv7jvte{_%&y{q>hX5K~|
zaK01XF=H0L|Igjrb(G+~#TK6v4)M=R(C}HG(Fd^cYm*HxN3CAyv63t!#_2E$iQJLe
zk@=Cifi<DBIBqoso=d=X(v`Vbu@1J0;Ul;#x*GvNafFqr2P$RqjX5LEbi<jRuJ?eC
zTD4}u?ITTtwG|t8;TJMAIY%)Yi_!=}5|2xGyx|;Aj|=W)*}SUG^etd&1m2hI-vZor
zaJ)jo@rrOr!@71K>y~mH@3>H~{?$PlN6eT8TfzB(At1U3Kkb+D4(5#LY?S@-*WVu7
zN{k%<Z)}WP4|l8tpYHV5`O&=yKi$fY_I~+4!cQXx*gE&p8EXR)<3_<)z&@Z<#V2r{
zF#(_eCqKrHf-0#tt4f-R*^L7ecx$5j%YW3u7a573-;}{L@h^VIndtiR7hAGPfjj3|
zL1JQp+c|Xv9@S+U5!*2Fc~)!iIW|kceKG4Z#-o?Oy8#wOPEi4oe0DBi-qq}@rWBbO
zB)5B*jr#N@{f^`(*Er6oXo1B512Urp5lSrUoHTX|LKhD~08+R?4pS2OXY<eIbZ>zE
z1Ww@T{L{G!GngKMbbm)>x>(J2>HrR`wh1<k?&gkpoh*_7rq4K|02DI-Sh8RoYzf%Q
zd`l^>L0^TtF@JMzCmA^OV%l>5`e)ls`@j8ZYHSba9YN_-B}+fOL+M<R{P{~emX0Kq
zP5D(?iqECSdCH<*Q~Xk_T5KEkY5wPH1NC!Q4}c1+o<JB@FGLD(cn1NFBKhR}0r>5c
zLyQ3Wx2EPZf~GlmRL+@A)wKl2)TkuvRQ|pl%1?ovv!>+YP*>}zI@g96=Olr(V-mW#
z89z5~W{Ngnja&qMr<z(1+w3U7{`mn@k?CU4^c>~}a~Eba5HWjw1Si<b07D!HLZR;F
ze~NuQ(##wP3}tgB1STng|LTc72S^&Nkb}ui_CQIRY$nCcyfxz=tWWxH`O~z~x8bh9
z1u)tO&=%xyT?neaM(z0&mYry*#nHN&;L`OmT(-V$$ZO8jV9Fh(+8kAZ-@cUi@;^(?
z1Irbi!z$-aI-Iqbu6L|82e&PV%^hqolR)WW2?%#}fXH+sbk4m38CusLeh#lZ^~Em_
zSetSJ1`aF%JzpN<U>7hcSBw5#5ZpmmPeDt-eKwag2@IxJbg0x=NbR&;h-#<w-U4hK
zUvrX4W?~~pjSZ8TS5jLoQK&qQ3bb<`0krclR~Fn*s8T>XsU~HrTWCEGC47lCsjRez
z%c^aUq}r)UV(c~!pMCyTEsn51vB&Rk+-)SM<3IS9<(!$;*mi+G`dNxLU0A=i@wUou
z1UD+~lBCCGJ~A4ZENL46dBAthgk1}QTtl%#ie_KIkxF%w&9sKG{Nu}wdD0t~8&<JX
zjmzYwY9C)Fzwv<y(8SdUEtCDxRIxAwK21P4&jP!0O=W{ssm%{iBz=3Ott7cr-GoK=
zuwdeI{K>l4o_r^|?tQu#Ws4TN^Qxz^SFOFX;b-8q0ub7s<4hRKbED#n!2`s{*vzpl
zcZ}A#3dcc}w*?_Cz#$xk(nYE%26w*3J|5Kh^~Nqclp{B7gX$JwY)&uSoWmL04cdLJ
zk&mXd4DW$$0xL^J*B9jBq@cD}#GLBF_#De;+XcMb=)9GNl1aw_@%)Z#zy;*+{9$7&
zLM=$3^vsG`n>*4ft|+-HEg@taEaujQr_}v8As&M(!yzS@$vI=+7FsYjOX2XHu7Eos
zshHXK3x*Po0Xr4YXHe%w#NLN9cR{S5Vz9=5kGtcz?v%gySF>B^H5Sx(mWpDQ;+d-)
zyTfsJtOKFe{KjPC)ZE?5Y(sd&X9ZEvrw0)J^1pEGmZr$u=P3l>kG^NZe?Hwf&63I^
zfAUWeI2oZUucPe(&|WGKpqE63%9(P_`mVgbFMmUlS6Q|*1@Fk^BbSAiayW}+6&3~@
zScE3N^1^vON_UcMq(cv21*7593AE;P^BfRwVDA{J;0;a>Wexy=l0Mr|k$^pyL+jpe
zTDw=p{|%R#1B|~m+qmFnB4Vxf%>NGfM$pq-)oE?)ZIH0e)9z@4hy`|O>;P6|&O((L
zN(dNia0pU)Do*)7HL(qj+~c+5`idf+Px#aGOrD-QUgNmodNO_G_`Ij@ml0vSHa+h(
z<QTnQU+!>zngoqyRp3-saG+lSUV}Aoc~C~$vD)C4o{#?Wmq;zzrwMa*btDz85HE}!
zx_0<#`xigg#(BZX&#qP41)E-*-I~=jrLQpK`J_K!4+_&J>9xKRQ`va_l^!wRpVdz=
zrnhXJtVfeAAxyG&aMtvN)A7!re}Kyv7Jp0k7RKcn^pum(u^^o{u;52us${HW&a;RK
zjmD5_x>{++mev8)o*#+R-Gp=JXmt;W8Fvt&X#_B-gHvvysZ0<8piR0lZ$4Wa0>*9e
zqxLNP;mhyof%_l7f3M+8-K(qIz#112@_Q~j-HUl&{xZThI3f)%F+EVpzs}LbJiTyk
zjCt<Wog4yy%H69A2ERVE-ch4kn%hbW+scq-03!Jr6Cz8dT+x;@syseY5}p$;$T46>
z2G9>VE*^IIj<#lddU21-aN)o?16QIh095pPOZ<6D{0ZVJpVKSYBIOQXYA1|+2H=I5
zVD9l~Cx?xp3IQLo0Rq9b#|4QqrOi)sSot2hdKieb<Dl%$Vu$SR?BD+5^0?WZ4M^s#
zQ3=<EG1alI`--h!fh+nehF4gg`b@u<V22F(@jv?4<&pYIJ+F7PNweHf`KPlbJ$4_1
z>$LA>i#qlYF`k+zTWdRCf@b;&SQIej;Sj@Nk*Q@aN3S!}wf)pv*=VJa3cGfJbSXu7
zxUXy(LhMUwm(#3Wd7=X;)V$-}x^d6v(oR~pow6>te#+m6y)uY^leM87O>j^@2ok-s
z`>7C?E0^Kn_H+}p*pXvbml2L>jk;Z2l^*)>Klt@>fBkM95uZ7e^uGKj@BpC^aV(Ts
zp7Qc&8}nL?(q<_uSp?Y2@gu`m0|Jm792NA%KQd}sMWm!>lcYnnWHW34Ei}3QhNc7E
z4SM&?U8pwa>R<n`gR%=yAcuDX0=@G1^n!D$In&6x$wKqe{6@OAImu`SLQs$(dW6eK
zSNu<8Z}b+DGc}cq8co8O^A^&aoQp0TF_d*sI%@S2f-+~peqVVsSL(qkmpI!3prpkx
z3e54i5X%JaRHKz5vCKYlyktv(<TeG;jGbA#?(AfiV9<rEF%#}HC4P7Z<72;hZMFxg
zL>lF*3*H=Q6rCf)%T4O3&&)%hP|eC4XfdfVQsL@wfQIR$r6H;bz_@eVIfOtz^i7ZR
z_NmA88Ec*#aan+>C#zO~qlkMs#@gU6W+(*5gT5F>XwAjTGQCRe1Q75X7ZS~aN)f=K
zhlikHUwEgYees8%zt8pnI%>+}BAPAsZ|(F@f)ek8WAh%sQ9{xLP|K#wOR3uKHKgWr
z4XVw|O-^xFgF>;<nxeIgZ^(NYdus_iw585uj_LBL#gy-OGkVv9NMTFmNBx;B(4kOR
zS~+7&a2+is$l^jyw|YMRR#thr0~AJ}SPIh}kE3eeE`q!;f^cDsNP^gB%9LS6Vb^_y
zDChI9b8oQ~fLE?Ju(LFh9xR5}?3e)EjE-;`qy@39w9Rh)1_ST-_v&f(Ez>=B)>?PW
zG)ao8vN=Dgb;w<7Vaqk9r_u?;XMHRZxNT({S-yZxyMc42q;+mfyX^Oxv>4JTAFXrN
z9|X0zXC$ji9{{5AW&cgQpTYXbPZ>TSt|`<$_kl%!-#h{Uo5y@3{$4}bM2ru4nA6T~
zG<KFqqoOn-Ndb~DX8I2p`$E#*L>gmZ8i%5qfCrfNB;+I)z%}yn${@_+kT00O*-x1(
z@BoEyL3LGu69I4bC^NY@Ak%P^pc{@-vVQ7~Q&U*O5@MXoI}qB|HfxvpSf+qjIp)Ep
z*Pw7s;>X9hHVLra*uMUOy_fmsOjz64mNU(?czkTFo2myi5BtcpkF>7K!qXbE3;`K|
zzx!LwrAQjNiUFtN-H{!y=<}&c_J637rROTiGp;Hes->FV`@j`<kk_s`Lf{C*v=V98
zcXFq)=kl2NSduWk()%8E2s`G}*X$zBO`mc#4dB(dpsxx}{^5`+oX+B96_C#6O)+nw
zuA&(ShJ<9AQQn{Oi^kG<KgX>cTin`<_dpBRv9%IQS%eEqlgHM{rgPA4>w5(`S<3^s
zuv96buQogqorHVz23zG`djo6C6Km6B0H>wSmYKE_sg$Px2N<CR+SAY=j-Z@5l=s?`
z<Y@iTR@_ZF-Ue8D@dgj4{-`W0QK0+kp(@LB28()xo)vOgf(}|`1CECH=fB+OWxoM-
z(}$#Te60xzA9hf5N-Uta_PSXkpq)R;kty(+nKE%2DHSV_aq{xAM!Un7Qu4m{_E&mt
zeYFfxtw=$RcNZ4_w;>10EA_mWMG$wsQjXn(Fc%se001`WsJ_8Z`+J)P9T`+7eWzo5
z>%EJdQgSVZeVROQdZUU^D~X$XKqqZdpEB`K+>9-f+EYt<1J)kbF_#zR@0CO2X?Kli
zDNcmsp-INuR<=gBE?l&6heW`8zJ%;{O8B%PrUW#`Wi_Rho^*0$<`j5<fV>X99f5Pj
zcKF-rz|fHHmUizzK8o6{2WdvlFU_>>*x9SpC_`#<vH1>$1q*~~4=r?mEtB0p7ag&N
zKc3w;7vuzz$@bYpmlL9yY}!(F)#;WzDVw^R&{BnyZPSeGEOy<_GAk7;A@O6Fm>VnE
zF?O)#WDjm@!KYx%WCwMr+*!o3{Tk=MAJK18a>j~f_h{-<;KmTws7A(P*^EwG1a6!8
zKJfk7Zqvwb>y%E-bsM<A3k0pld)r0dLE83?mVD9PVf(_?O8Q>?ex&VW73WYgPZiUg
zS7V3qNV0J0AUR$qXi`p^>S~?y?LLIZ0D(U8;=!`S?CJ9WqQ$CP6{_s2fJepL$u@<Z
zTogp0tBcB2ajS+&#`51p5kF}Sy7@cQ@EL0sq2N2->rsik&Yd3<?0nwLnHTnPw(&Dp
zvXbzk5T0{fPiVBPGCN^6B@5e8ykaky_|A!o7Y%k?!n2W?Ey`)QAg7V4B9y4SBIlkf
zlEPk$N@}H#N=)r^w`>JCe}<X~C06M+DLC+*6K}UjA0!2cZBICmgCro~@#qbI)ND0h
zk0ktVzc+k55aX5{aKIn!M?fP5h^gnC97}%fo`Pn>I_kpXlPV~OsDL6HHyd(vC;-!|
z+#ApXR{*<x%LAt#xXJ;1b%d#Iiqg2;FaX+PeHR!|Gc48_;|6Pib(%*h9O%wl$zxpA
zV)Pg{eeL9L=q>KNzu?!*@ZzK)K#Pw;*e9XZ4*2@gnDsTCzMp`=BP2lUiK8x-qVJ^C
zky{7ZlGmM_EM#g(x7YwvSf4p90TbX`CxXTNF`p79)x6O#^)%_<F)`s<sJ5GSg?%F_
z;ya#%2mDNpcf=Y0sK2MFB~fm^&d!;`_7L$<D`S2R{cYl$-2rvo*@D9_1sISpXDCJY
zS4zQy!&fg~B1189CD2-{NFax}RP8)$J-XylqpILR3)V)2AHLa3eZ>}(DmHcrEHIJ_
z2mO7ucE4+zktF<!7rCF(Rh2pHcQXSdjriH7o*nTgo8tCPEQ@yxz#c%>FEzy_f%~@Y
z;CQ@$--lxmn<6U(dx<8e^6&ucbLM6UC^PK((a-A}XVRA#hn=tlYbQK_vz$dZ^7PRr
zbxwo<uq0=izAk^3z5qwd12`8hYBg^m-c##oy7}MRNY7`kBpXQ5_o|(>OugA^sdARW
z+yd?lrEQPfHy?zWoaw9!##DA}wC?wC)T+ZN)wV$TZr>&C*UvYS`t=eiEjHC|W?B^+
z@a^?A+a|#09Rhk>V3UOye16WsFOz7aZq04lXa!k-M5UCR%+b|!xV6tix@HF3sOOG3
zcmeEW<3S=2>f-@iC^Pg>v|GZTOuiqlMeL2a8azPs$qH>2kdt7~+3MRBplX8>TUr`O
z`Un3deEr;8hpIr1kjs=)4=E+2J2uWpEE+-F&U8$(Nz=BYXDXn&rZhE!2!M?^hWjCj
zshNp6a@m2VW(s(}fLSiWW%78<F?&?+aL*$i*YP7dehP5_C^5XA!yMB>$tAK`9ly$C
zOwSoxS9Ms^K|WxSA&Y>><}W!YZl5M{DK#3one$`j(7_4IP;aEn7M+u1pnz{7lJnE^
z%|{U$SL<CH7y*ajI5?woD57{`t_K+mj8Db68`ryX+%Tv_44-4h7HD#*mZv#Jv^<go
znor=Mt-|eexgX>JLTx^PYn^&nWBzMv%osxi^P2~ZEwti85qcCKjL@U_K!hH}_ebba
zygx$M-*G_z${<1E%`%WF8<Ehc4iT#8Cz%b-s~9!+8nc#)sa`y6&#Jb*KBY=omFU}p
zE*wO-SE+?V2)UzttL0Dy(hBLZGl?-C_5@gHd}?pyox7a11Pu1(4x1BU*hCPrXG+9f
z{b~wR;^SPN3PwwrGc=geMuj{?0U2|(k~u@FzLL_^p_Uqjo26&q6!&8X?UJ&0XWne9
zTz~$3QZB)z&GeQT&mra*#*Ep9WX8*&DtZ7*?K+dM3#A>?y~Wxu57-IG^sJd5lyJaz
z?EEdb(kl<|P17>8QcY`YAHD<WtM6_XT(9GB58$F}1fl@B&-wbB6yXkhY9Z_D3sqaL
zts~lwo+H7lPS^C7i#5U>ukoIZl2HeCvVIr%(pK9TFAbL922<&=>j>Yh4K>s_Ihj|0
zwQzrQXiJyCIjnpf-Z_5)d$TE=At(>K{)B#R-^M7wNM{aF*_SLsKp$AOs`X}wg++l~
zegLi?wnM?~cIr@+DZmq6zkdU<qZvwO-()kDUlg`7!~|wGgt1;DAxLp8JZtQ$rp$>e
z*><rC0$l*1@Is1t653-P%_Rz^evlmR5w=Sl(y5lA-dWpUx2xa>NZ;wsM#{X8!1LXC
z$|;a3v4$`%wSaV3HcCBB+n&y?r%0NIdwrBEO#sCoeh&O&i5K<vw)Z)HE;;%!gvz&F
z?$Jk|>+=14EHn!q(fYOa9st{J?qm9?3i-wGSi5}|8E>Qx-+851e7#wfS2oCN`}!<!
z0nSnn8*T98xf|Rg>g!zliY3biOgqy*(k(HQhfs^UcXWG%0N*UK+WHVp<!)9UHd3>F
zRh7&5`*ryNFOZJRKIfx5lq`vt@g+s&O=~ICqx>@b<@^VR*3Q>A+*$Uw=dZvAa9S%1
zDt>5xh|9c?nePa1cO33KoTI|*WElf|*3%e6P;R6=c78n1N|I+f*S>BscRW`304~~1
z8;B3dIsUWgSumBqSE)2or~9f0s1AX0Hb6TT_BkAuG5zgnuU1+AU;X-BVdz^67>krI
zT!j(2r0}RL52W=p8x9}dm)I9RGG@Tqhj27^79Sm4Jk6vI^<9bHIDzz8sqw6mIul$T
zYAN?1!SVXxN1;OvI)itpA-r?x^)~vp=`-vunwOP^R9aJ18n&Z*TTjMJPsVgls(eqQ
zbFH^=b6Y($GXeH<bFW2fp<eg+najPQ#l!|ci;YU|SdKA)AATNA5^9ER$C{VRH~QD|
zjeBdmuVrkV<1ueW3es`5uM;1cMD0bAgL-~4W0ZoM-%DyK7}1}s?8pY#AErr}Ng|=I
zd^$mp8A|FqCjopmo+<raY~&4u@sUU;jFdp3@r^c4!OzwExO$Y~0G<A<AXvdzzMa*W
z-`Ikr!yj7-w|RNJUrFg}<7B|WLCdY!ez;`4gFbslFT#iX6TYT6qk1l$(61ea25Ydv
z167sR`H@k8t>Z8r;LrdhY0G6&!rbJcKJ0ACINhMb{vxkHN0E7Av`auJxk~T-;#WXn
zyY;R9Md5(Ye(>-5H?-6N)xJoaa^I<fSiMa@fN&9(DVPFK5P^<jUsX@wh-N%^Wh<^-
zEcRx@`L7EM9B;Zg2vczEsuWvd#Jr57BVzuDuTvcIx51I+72F_Psz?ezzr`hJhp8r&
zxmw-3OACZkeBR%;swZsgWv!w`@PzY&t)ZuQmE~98-lZ08*d5F_5Z!;V(Uj3DCQ>ll
z1n4M^=#LvaGi+=pwNsXq6qIsZ+Z-Ftz9z>>I2#8#aIi|N6ll-TFglA`6}t!;Fq6~M
z$}sii{7@D5eBt9X##(970-d%S5bboorIoUq>M5DsCz{0|IkCbfcI4r$>GRJTUY|$A
z9UGyaCmzpltR1d%m^6%u&jjDifJl1fB8BDD&`}YReo#}UpbKy#3nSLx9eIHT#G<YV
zNSSrv9n1U-!qad!k`4o-31IJ0$CVhj>bCFfazy#JgKRGTHkPEjtg~q&!BH(B``g}H
ztm#r&*;iTITVQiLIY9zs_dl(F0}D~JgDdX7B{%`Dsc9-9Z`LB)<``%swMsJ3v>mvz
z)iIt0mjLbl4G;hJ@Adi;eOH7!7o>+}kyD_%TMs1tLb6aeeWXm@-9r7GN7yr^`lZ&j
zR#H^3#)cK^>2?I4I2~2V3uE|Exl!PVa~SPwX<ADECQ0Xb=8J!g)E*;JNeYJ_mb$$;
z;RG)1ohG*p|DQGBO?`ojCZKTm6u!SjcxRkK$xXx%u)Zs4_>|(${)bG<%>gILP+8=$
zuX%JCu?wIHd{v`4Z$zQZ<ZfxKu;`wE_7Q`hLSL{M`KD%cZE;^&PxExZ<_x>ecrU`(
z_(AyZ!3~-!C{{StnrG5(NFgsxS|DROk=qw*raPA){M&ObBEc%>$IB@t{x}xPb-4K>
z9cPAWYu&Pi>OX)~N+m%01Gvyi<(00!T3^!(hd4pZyhB?lb4^zIBB?LKCoj~a-DuH_
zqQFVQxmM_S^nhCGE4f>&C+$9ZzzMalWG7RmuE7cD-p3ON*_=lAyseW}*oTtybq+s+
z({yLUlIP*V7CYXl$>7fBLYIHQKTzA(G=WN4RRl};8tmwo-vt&ME5LsQcO1?c_u%iX
zz12VfVCf~h!T^uw;Za+Fn162V+iYC_1umod#XLzFlRz&&2Ynvw0j*68H(HXeC<mbR
zCL}aNNf+Po8n^}7uE-ADf$V<o!L4axe!FR8L60huWjj#j_VQa>5q8uAlu_TYoBr^(
zqh*6_N+mZCu#5KY*hNSL$WQ;((>#3fa*bz(CAfi9e3a9MzM&YSDdGs_P1mXRUcJBQ
z%@f~!s2oPB)$<M}if=ote8XQM-_llg>=;V&wkX4}+NTXlK67=veYH_gr|bIuv<wvR
zr=S1mb7LHcwa&<9?<B17oso<#F`-{ZNL^;zdtd2Rm)SGPnzR|HZZ$&PZiIkfO{YZz
zc4#NA(~D>;b?M^4eRM$L!>7$O#}|P6jC!sczeFW(X>$v;yB$a#e&*%*ZMD#P<-UAG
zlHu#g01^O&rNM_)oG_NrR~srurBV3-zk7HAOzvGy-&|;E#kooje!a}`=dvpR2V(K*
z{;@;A!n)gPsfW!IT4=YD%W5ZTsnl`v6ukS$S_N+bZH|sD;+#|jWVALvK6UaXB)YS^
zYx5S;y&cNs2Dnw$bS*aAq&4P^EAIyD;6A#{+8mRuy@p5t&DyyJ`hxyCOBks0Xv>5u
zEsFW+TA``8bbZ|51Dv>y@f1|9=r}z4$u-cnTB)PC?yzUL1CQ1kZ7;{CD)iNoO;;y*
zpF8>70xcz1ho{f<&LMS(C(sHD12FEKCZ+1a`;+gMtuFW>-)_=K-kt1(w-yTHBdYs8
zU&~Mud7P<drH)ayUq8Ezv_J6`?Ux!UbWu?Fj`uge`3v8pj(EYzH1?HpRF<^WvU8UD
z&X#V{ub(MRl#W-}>)Dbs*>MyIfZGt}w2OPFag#1VRNWj3J^DRk&xtm(v%v<sZ{F8;
z&-DtM*vq~t*QkEL4JAVqQ$fr76JfP$;G;kf;MgP4nmIZ3v>t>&^PD{mZCd9C+nE<|
zleOPsq+EvQo`DC5Ke?ZbKWyE5g|%~*W4C7DqBSE5aPiVjtPyRqZt*N@P;JwtzUqDb
z-KN*B>0`@{snTe5Z#$<b!0oYW9zk6{0deo&;6$hIQEpO8fUlBFUy=!1R4{Y@c0m>L
zwL?uCoV?#Q%!aj-J*jWbfxHXn{_uM=ct97Ae*i6(&t??r&hh){j&Z6F5T`}m<}-{h
z{{_6H{>IPirag1r<kNWfrE{{w>}%S0DX(XHdB}P5QR}K4b_9|E?20Jt(DF;_h_?Fq
zRWPp2!NUj1%vVlMMSBVqMRRbwD129me$IQOe_OBj5h4IDmKu&#y~*3a-ShhzLXC5c
z1E>lKDb7UtSvVd(1MP@kg5TCoA#T1DMFK6G^|FIXb)Pcz-52lx?X?p8F1W9sUL=S3
z(Z&m<2XD4@`EN9Jd-Bj|<PAyTbIzI)@?1jj%c|OUraR33WB2iJ2b|Pe0FJi?ybHg7
zy_cl`dTMi6lh|{E4Jt(UhW_>F9>lVKQGZtk6hJc>#p|1`{XD1hhg1s0vbN7kEMX5E
zr4R_;iPJTA@2@f3Z0UO=Y<{h6*gfSH_4s^W4~p|rOoB}n*x-?JICg*VA;M&AaKG-=
z>Q%&IvEy|FWma)>vkD)ezjC<o9f|C&OG$4vX`#xygI#`)-z_t1A}W7;_$I44_OODW
zJU|HmyKg`wJ?yt44K9GF9hvEa<pMs$Pn!?pqy!W;)qy}dbDy6E9(DP~j6YVl#}sOl
zoCi9n#KJ;yTz&ZqzyR%>!>3@84buZ0TT}ST-^Mu(1)L6+aobFm&hd_Mp%=0ZZ7?H<
zQoEFEyI}}#rvxp&T%ql~>>Z6h)#(QpUWU>?7si?aQw$xKDFCCjn4UKfpC;Y(-xSbt
z5?<?ejWmJB2<}(<O6&)v9w~e0z!EaT0zWk0ZeQEuw})$PBjF#wPdr6!AjkkjFQW_>
z@_xOt2XB@l;(PG)=i~_6F^QW_jZ>js_oFm<q=w6!$jC*N_UGZ%%NO9gW3=d`d!M`)
zZGP(H)+Ri_*u&kYY#xPMtvhOK+!|$Cx21WGM!j}llQ9XV@_02bD`j<0oweKb@$1GG
zHC==gkUI{JsdUXf6V)Z9@)CAbaZYqs;gzSVc5Ln5N+~;R=bEt+p^I-WhMP8l@nNqh
zqqwJ<1zWug4`Z3_yZ({n`zGys09KAE0hu>4wfS<ieeUU?wrg6q?}Hm!%}UMHp&z@}
zs8*%sJy)E=(dWWcVEu|Ja6A_l*wVt<a+S7sDZ!pCtic<cs2)a8zsSZH7C6S){&zls
z2iU#+OGst!0-`1*l-`<Ch&Eq~g2&+$CBMMR^Yyc|?7{JB0fAJXU*H1B>aB6_UcG)o
z0Zu@)dNygVIXdy@&BGb9+st-Hz>)BI7;HrDK%d|}Yx{DGl=>78e!{OZ9)W0QJr=O*
zq{qDo9R-OBW_N`tJcT__<GLDs{kjJa-NLmNi2=A>G%YWNi@<``;?)=BkzwcDd!V{<
z<_7lgqGY&`__%tZI$rIp@<`w&+Th0>COU~j@aq>7+R$!oQp<J_b7-+Ecbmc~K@_6x
z`kUYU``>$puTc3}0beN(6`n?xs2giIP<g%{Ey*r9RS+%CX>Zy;jRmP_x=eDM3gS;e
zu$@7@?%o@cvuOzmW_M};e=_7ED=`)`*x+uN2`bKOEdj2e7lQZg=Mbay6t(qGwOn6F
z$s^<}#O+J8;l#%pXVLVY9aEUESuM>CXW3kMS@vN#vj_td(DHVa5J|Bp08NQTSnagm
zi4-DKFI6hXE7$Q2NoaEVu{U_w7C?oPGNfbolap;#+Kl3Q1!G6y2btj?t?bvFrSc+a
zF3rw^bK;aDu74Q1GZw3m*G*9V5xoX8)lJ0VcdC&JO_sRM>FlrA_hCQ+Ff|Xye#z<F
z38$yRn&^5;qz`C1<xME$r%Wx7$a9|4AIDb4fVo;iSM}T5hk&1wuuO(AHD2;eY4;Fk
z4Fd5F_KFkvis1lN?FS5kFm7mRC8XU#RlE=wx_v+3BV>8+;-7sVoBHe+Uhb18^!6*=
zE-4UxFHH?_ARmx`X#417J9^=cH_4Lz!Eb|>Rwg5Gso&b;GAMvu>y~8k512yimnqzx
zk6|D?!PpVLLUuu09-kK#va~eX1$AA(s3N{k<1!^uW)5(U%<U5tugtlN*$xiP2(V9o
zBp+Rj*a1WBhk4}&;8h)2>m@42WgBQB0Z=}szb<(X?FvCA`-N7xMqG<fcVD<Tf3PnC
zaJ)|ai5I?w$LDx#zAh-%@6Y9ETmrincnl0I@Bv(Cn6km{YIz4!$`ZeIo6MR8xT$7I
z1r^qBx5~mn6$(f_t?zmU$v}#5Qd*R1U(VXSUBXQXGC{^*^1jqCQ+7%(<t`2{gAHC|
zYTfCxE+U*cImg6oLr9=OnRbnsF$oHw1ebs-v^CGab<mnQ-+?`{GHZ{aIzSX?8fEtH
z0_;BK`Mrf*0PU!kg0jK6>@yI;*oTO*ZG}`wV?6!GzfND-a8@tL{OKBy0k(8*pmKgZ
z%LRK!$mINa{km#2HHT$6%rPoS`aS4^nTB?2qou1N^KX}jV;-Q(nln|{Jln(B2D?$f
zwn$>kn#UK8VY<+>5xEb66pioIc}8@euyv9z2mQB}#W?F|{x&Zg;iEDn-dbK7DN!f2
zs3Oaptw&Rc+f*C!w8&Fk6hiBhvj@&r*pNkMJmH=}5ZJiBWh<DhlSuid1Cmn>hjeSL
z@?#|1Yh}N3&Qo6NQ|oY8BN<RQZs%8t+Zk5=>`=kXPhq{nRWb^;atSq@C=fT6f4`=(
zd<l{T74Tq!R&WhY+37;l&5QwDfKvu9zQU=H6nnD%3@LL>vk0}^+>WeYk8mv#$Na(C
zzheG~<lr?{*5{<$JPUyk;gT4+Z0)Q`U<_v)&JFe(Vxj6ux$US<p%M#Z31AGby+tny
zC4nqglA~IO#7(CF<NBTc<NuaE<{k-W^_Ai1wz<bl6_LNef;|6j`%YvOUtCbrvs579
zTX5`)F^s*|QE*hhz$bi6i^f^sm_MiUFn<(AH8pI9q_G6na=oc<k49>xy-B>a#ON44
zq3`LWOjXR+S#C6)_-tcL{{;SFVGI1w(nD)bYt7H4&iJ<}nSW0EL$w}!m$H5ANl~r!
zjWx<Ri=09Z?x_o0@&ah(%{MfUJBFvYS>y;9fs}EF*lhc|Zz&`n%g~l)*JB}HlHgMb
z;78kA(1+!M{`J5)%G%n_rkhYLZ3kO%)#sV(0wlD1Sr63h?JMKf^i;4zy$+tTKOe-e
z=s0x+1VB-lPTRM$=LO*5`S3nsU#AC370xHfU^Kuz%}%|}OM^f79ujMudk|_X7;MY~
zy~aHHmp)DdW4axe+%enPi}uY~+s<8#^Zdg&XClTAn>hE=jA!9^xlf)FLMnf*jVatS
zw`y{_L0+!wcC;c2Xx*LbQp^O<JnE+#IiK7tr@0I%Nu@c`C<!@Q>nDA-k;JV{^G|_;
z3{Xza|KaE45jcvV1YVXzeKCweYw5EMa%E8VQ9o~N;T0%ZZ3)qwN9`L$0Wr#x1N9i{
zHCoX(-33LR6p}#(AbH)x7c3trbvU*^N<$RTDl55m(gb&Vt#g%>AU{*cH129bEtNrG
zfA?b^40CebrZ%qo{aQZS590!CMyo{AdbNw%2CqLk7c$?-F4iysJ&}jyTYI<)Jm-@V
z_83QjaE7*41&xyD^alcSPAK15P+R4jh2<T^soGl36nOIfC@8Ec3R%!3enaz=k*}2}
z?~__Ge8Qc>OhkDE-Y|Jfk@ZAU!ryT?074j>MvT{VY^&Whgyr$R{4!h=R1gVf(+dfF
z!)U*je4^(P9-DZDb`4Hu5o(Gfp8HYOkT7wccNk~69fnpgGz5TFtxoHc2S=psJ>hFU
zb(nsXe(E+Q8R56@`z2i!c@Ak94L9%qqbb52`1(ZCz&s!nwv;W&U_{&BxaO%UdNK$(
z=eo3JzE(mxnMBVw)Lay_Mt8J%;ZjBBh>jMsGWyiFK<mt@%S`4p2XkAEujrCWW)w)?
zB?<J*^$nU64hx!XH~@I{!a;I0a_r$G5pt|*4i1J;a4MXGfuR7GEs9J-5egSB4x*C&
zBY8p-KO7LZLEwO(@opawpMYu%OESXWVL)8dKbMZQy`M346$dB%m;k@z$^ntlKSup7
zF!!$g&N>_@he2=5Ia&Sa&u3ff^4Db&&RG|+XWeb^hdOos^W3_UI#6L(b#>jWA|Mvu
zFOPsKi0Hpu<j%4V`vB_X6XAnzzxl|Fl_>4&61)MY%896ryHS9bp^=6y6{_Q1g{B0z
zx(ay?AYm@2Uy=pJA^sfB9wLAO*ni|<HRM=kc$l$c{@jT<u4(|euzQbbC!?=CaO06Q
z-7)8#Kg{;+G0U9?oaK<V|FOfnb7D6oEXOHld;yF4yimlS(k~mko!O>KY)K<6%KLS3
z;dS-5zNUJR+ypI@eMM2&a};=g@~FY~R@_;p4pZR(wb#DV(XQr><opBr&uQ4V`4TB=
zEefW?Kq@P4S~;cNHF8r`&N=4bdlfmqSN}CKTNX%~O3kF^Bqn|#o0=na6s}|LS(Z4h
zwCF#BZ!e+rFGh#EPs+ddGk7h4?<Vp3X8{g~_Y6)LQg|O>kA5TKnd4$LjGj95FQb8t
zv*^x0dmF0ZF?eQim(BarP#GYW-~^gq#u1u)lLMTMvm{PCeST-t7or`PC6#<(t>!C)
z$cNpmjy#1}sFU3<JEhDaztHmHal-Gz^p*BG<O_~AnNFbcrW-K;PqWQ8i$aH=;VU@v
z+-?ClQn&NUElAiBFojpo%$aR;*RHWO?P++;x@*dY)Eq<!KFvZLz?=az=N7W*B<e~)
z->}=iggdLZ6ZWt2vO_qcWlI5sI|^Ew5yWnyKmpK*@vbxGDCV;>6z9z-gzJh>?e!2x
zVWGYC2eEAGtloB!r`om8{s9ccmM-ewNC4K~81svD3P&z)SFRkmD87BX!3jJY+0=1{
z&q1p!Nnkd>fauLfm?lZh{Kr7d=^v7c>{o>`dWNWgL_t~$vp0B>gLj&MXm@QO?$x}j
z(IMNprAByZ)aJWmJZ5s+*W)+1?+$>oUqOEaucwrNz6U)<L2QrlU?6ZAL2T9;+o?3@
z(Lbs`NYTH>1Wpbb0S=IG7}^&(t{~BEsZ03f3#qjrzcxv{GY`T+GnwAO57np9FqNIl
zahoyN;3VH<oQU&<Ic_D4eFCG!%3Dr|m^d{aQ_VbVVn{i~8BsC>z8c}HIxE5Z1y>Q{
z;zG50rhmA)6(bv|i-_C(Ezkg%FAA=I2T>aCv$n}#M=Ts3g2~86OQ@_cR-n{TP$QIz
z%Y-c}tchkkrDY3g>!3|W<V93-H6rz`Xr3^S@KDRF-A(}yfm34xI;W*_2^{gs+p0~{
zqJU2$5OoW4S#q*<97c1xHyP8n9Oy~nN8qqX!gmzoIUT1oj2(pIZy(Y=tV#3fUlg2z
z#NsBL)G`W<mpChtxKPyytubNvJ^zA`#h2HTI+|Wf+WkeRMP%YE`~Z%|L$iAYCtyDy
z<7+QW5fhL3nYZ=4);8wH|L`};nfmqm0X@c&W}xBIEpSIZ_D4+R^c&;AlKI`A&>crQ
z3uzgD_$4pyXqw-+@6>OcH_sQ8Qh=(Dwk${h(ws+9w(|yu+~6-jyr>z|(|@L?gum)K
z*x<!g>(CEN<PSw4wnBYGA&gUE)*VVt-BJhl;Al=vy$k2g(i})(eE`}X;EkoKAZw3@
ztISBt>+H%CV_ra4d=@Y8gjKM57V`01lI}R&<T5A7_M;^scbOdTI#cOtW|USJ@0vBW
zG0pG+yP-FfK=l1ncLzsAL;oUpTH_sT0dqQ21Mn$k+LX>(*}D#JN~^~DNHooyXLtb)
z@aepS+{Fga!`YtNatBMJLS;I|O{eI0XzS7OBx`5Idi$IV*9nqYM)lRHDks3|D^vYQ
zx@xotD%Ul@(Q8#s0$mQpRK_S?H6*daxnNYpCGRp^_0@&yDcv=~(Va?HS^5T_k^%JE
z98a<1yD23gX~OHaEOwayrLU%|M-h;Cx;j;V*yyWn)Ddaumpe7KK_Tk-l}dGbacO0#
zy0M7(N}N=U-PagrCz|l~*(sbAjVRz^eE_b5ejOk4os33^&-zOUS|?bL0D2{Tp;uD)
zrufQ5eL{}TFMEA8%I$9a3HNS**Al?*piv8y^d}E`Ce*L!cBok-;MEZLZwFk-DWK|p
zf0+S|4v?Ix_@%RNSI_B>ff~+$e(+mCivFUWtN`99G@n?H>8*G||8m4g^87L3Ymc)d
zR^iUmOgat`bBM-nPg2EzQN07x^Pyhq!>v#<e_OxjWCv>UrZFbX7cLda$@}{+pd`Cf
zNKW#PQnRhL<8o3};Ft9gsI<$$p`s=F=53c^lT+*wwb882k~!kC%~4Q6MAngF%bO!9
zUmf+o_?cY%2{}i?p%}k2G&2IyEz|!%OHR?~QVN~^O8Gq;oa}>ijx&4EoY}FI`YskA
zH6^EPN&Wby!rmuw-pmhkI1Gt~k8#Nd1TXIAwS-=bmh5sslrLHg;qH%fIDs|Hcb7l`
zcF!uYs8+d3@+Y_Va6kewwT9keM&DZr`I|R?JSI0&!k0dzG_KMV+*%l|Eef>a=sF$a
zR0rrf1J4-4+9m$HYdlD)2#ZPWIwR@f1S83mnWLE@$1+1&zd*9YI43Qo+*-nv?T&MJ
zbGQTCaTH7jRGxPpU$g?q4>2kuMaEQbQ@fgerqK##|H@WoD2ozHA4v@vGltF2DVouj
zVZGZL?6owvxjy}ZAqutiHK*!dkBOvG;oW}1x4$qU(%4U%B_@9Bk4{e1h5ns@Nq(|Y
z&sCs78}O~xW`L*grHC+ddK>ZI2<KHH!_S=Q9G8fDJTHi8t^M)K2rE#QKV<cPMbbpl
zSW7;kPFofUYZAa0;kRdM6@m>hKQX+xc1cg(2-S)dw06m?Ll>03LyUJP8c1nSLNg(?
zr+~ju+#u;)iU~Q-cj-NNm;Sq@Oq+vCB+gWvlNp{i7^BjS;)SB}oRQMpIJ7_UpKvNQ
z4R3G%^M9sD=RSaYJGY%fj<I7EXFACp2f!A<TuGPt&8m$2zpC>yei$y%#{4=K$>09a
ze@OBOcgO<llz2ya?|x;k*z_t5YN@_<$^JlfKr5|XN}7%cXle~V&myI*nc*Ba@l6v~
zUN|UYdYhOr=4GT9k&x`}2o+%H2;!YRZw#wmGuD;<Rb-Gi49CpcrS7IQV>X>lL~H3u
zLtWFwSn3)IaZSo*Q_3b%s3Mxt*9m6KZ%4tHwoNb+tq7rDQEIbb(Uc~^jOfW3a>V2D
z3IaefDtr@<e7svS5@|j*u!#o+=#Ok!rY&qICS9BAYv$sQFAcU)j#wpLiC-qxM=vgX
zE=5CW8AM&*&SCFMB78oOu}ilQ^%fFnc#+2`$@{jXieGPvfz}ka<-I^c?&Z?UMTFj#
z<P_g>lma4mxqt?3fcdPXLT(EbCh>U84Ak68yf#pOsC_ok%tCVQ4d2OC^j|a8?}>L$
z<IlW<X;|-4i6txj7<_R(6_w&~;2<{OIMWD#R?+EhyaK!ks;mDJHpl#hTjRRq@ybwT
z4}Oobt5RjU%MKvFTgL?{a25Rh*@J!@-=u+ruT9}!YJ(?0c>wjWYQz@eR31PVQy09g
z7JsZ)%n!s@d7)1kGdpfVp_+2<;}@FV(^HA~l32X|r2i5X7eEOZHK6Zj>X*0)Q-|>9
z^BVv5=YYQCgF{myqAgH7>fdkZ4L$X^G6>I@A+Tbp{}N-=$F>@|RG1o@(+W?*6kr0y
z!Igg2U}6ZG;`b3_De;D0TVDp8Pl1)w@H%m?7*K)4j0VSxdA6N=CReI@pQqU+H~>p+
z&MEXN{`NVK!?AokD9QFpwJ1FBO(|wM#FYnk8PukiqCb<Qf2NbZen0XV8+jj(RQZ)t
z9C!d+-vXF4W9w~CNLPwIC17RdNS?UOJ#hfGG$F7iz$Irykfu67VtXBIckLcUxNOVD
zi%egGi&JZWAN&J&)EsrjWfL$&JEukgsp>Q|uk9Z(qhkGYj`jvo_)PPPEISGZIlKbk
zwj;ixWus<U+{=_-L16n6XaH>M|M`pmGKgm>Gi7|qZHL*^2B}=t`*J}P$c+wrRIM64
z&rr*N_u%Z8qyzr`;7B_Qx|<iC@gk+QCD@#j##So*TH0LOJHU@G&_bN!uG#fPwPAXU
zlMmoZ#_CP?{Uf33@-Swd+)+RAh&k*tXw%K3AcY^!HJ^Q?h$0Lc*pI#|QT>PFtnikf
zyY#%-;{jdDH}vPTFEyY3jgUmX4S&;CiWo0SXmiI9%?Jtpc+vIS^mB*yu_K5l#=`OW
z0C6?a@uOcu_`m&wUm3`;<Jj5yCm-4Z1&5_w)j8k+@Qc*&i|kK83XUD2aL!~`2~~XC
zRkocO)4j(ue=B!52=dQ3(M9UP7n6C@6`@RQVSKC|obDJ6E;g3`k`mckfCAd_cOnEE
zFZLMenmOXnxC79g$~Kv4u&6(Ym7J5s#8?~9MTv@!Uzxt&(67)yIw8sM6+BXh(u)M!
zUY9iSX@nKHMj2j-y;mPtQM4q$zzV5OY+zBd4bUpsRDq}a=LAvQcRZz4lils5um1|e
zk}aL&ksN&cSl6Y=>N*kX=dx=zfYoEUd!~JAgvHpG!PSUWp#EdFxqA<hDBvN`B{?x*
zb$zH^OtUh;(1>HOjK1%Bh9B$7jF@4D^tDSA5s-H-3({q#ahH9Ouv<EHhT2UBTSLY3
zFDPbXB3U^Uo(QV+RucFUmFt+@ox-jS(a=0Irm{;s62DF);RBw;8FOjS=f^l+1=L-H
zEZ?wY<{7WTQ@7wTJgQ@bGVmllO@n8o0#*`grWR7wSQG!4QG}eYnDkKc!1wfD5elL}
z*k*wcLwtCQZLqpmM};MA8WYRKb3!p!0crNa#e?+Ahrjrqq`@bli_PrPFY}a=R2@wR
zz&2GmAbLI!g81a<W-FiY^f#wZc{d(8eU%UHuq*m2^i^fLvb3O%0R?pBDQtrMX^Ijx
zvhc|dSj_1zmN;H&F8q!gmWyp7IKHl2umJS>Dkx)Y<kV6S_kcaQbH_e1zjKFG14?%m
zm?9CiR=wj*+aIB<-l4#NYLz^InN<nlKVkU~2Np93=mKE5Ps{`gRGnf!>sDBEJ#~k-
z>`#99`8?UQ{`5g*fiq(s&K_G-3ulmKMb>$d;U*lQQ~xv!3w<4*o4&8@WZ({MP4x~e
zP|ATjv=GJ+Jh`XSfZe#qI8#O?6hFnT5-46ls7rQ4ddBA_Z5xECw1BgDTNfggexbmp
z;suJ5bKcsoNJjM_AABnfDJ`%dRfGEEs-qC})ZyJN#NR+Lq<1mu2+-?rTKRLT#4L9m
zeOIb?J=Z(pYMjJ=+8Y@;H@Z*VGx~>xfZMsA+jz$?0bS6y0{W*E58!4K&ltysL8dL}
ziBvyijNhPGbWtb;kz$-PIY1TQ8GCcj#D#d%zIrFoz}JnS%q*A-wY<<$3>biTF1Jok
zVnVyo+o09z2M0p&+|z=<_X13iqMa!bed7A>tn34#Zg+fPTA}B0b^Si5*B2!Vd{aFM
z90gta7gX@q0D(8mEK06b3a)3}Bu$_5Y&#e84mb|~J8<zLlRW?b`23e>0s<`G<m13;
zhjUK2MpQ)Fcn%LB1MEr6w%-o2W7J1F!69QNq6%Ln8f349HF<g(qTo+B*?an_$K=wA
zb7x`P41SPxx*Fk`h3!q2=({D|hWLHw-kn&*4j?2%;TR%c{Dx4DQ5{a6tp}8t1XvYw
zUIKb|FkV7nx8tc^du|8OBSSLJCb+<grnkv&trjR%A)lwS-2%lay#VI5LP3%)4ab;P
z_Ps?l!Jb=c<|>D!0DE$8aT-^8-wk+@xz_aNIP<8{(igw1H#~Zn7$c(U=AgO-gmE~|
zCh8em!x%t6fk|>5Gu^;G;Qe4J4G%C#>q!aDW&`vG-v8lO92T**QGxHp<BR(CM2p<B
z1d^U1GPv6S&gt#X{s}y5AwZw&tvnF(;#p`bpaDF08osqQj5Z;!P!+m`5*J_VR#0~&
z3xo;{H*0H`n9Ii5LQcQ&QMQKzk@|4DsDyah^*eoXhX*F|3lP&{=|67mx||g8V=SXy
zuxGzzu2xN+GtMa*BcPwNHEUqJhoP~{E^6^2+!y~nyqKa)wv>K-`H<1RDN(=jq2e5U
z@i?~@rPF!%osD?C)~M8hQc*$Jxe{NjtyE|YD{w*B`6T|Z_N4L<G)|F0*!eWRRC`)s
z2R?-h!cws`Su)dGajFwZyVaN}W+pR+vuld>M@w*LOWL<nq&vk?0BEO9v_59pLT8rx
zVfj=`-Ir}@a<uPH|2}6Y0QD1RVgN2<Jlbz7OIRim#AZG13&l#|oQ~EkX`Nf~wc1u?
z4Y4h_HOhdny$Ej(?$$vy%Ez8@{|`Q=tj-xWmLllC+hwGTk8>9N_n)(46Nl2{I=p!D
zul@z%nHcRWtvlZ1Jgwgd=pAAinOGUVdz*gjc4lgw83D8&C&r1fD^0#wFK4H8SKk-^
z3Zbj-cj9q(y05D9a~&Z9V9vNcv;V>8L)Ab|lgd^-!t17XD<*m3!E?m{uFhtKrUv7V
z)<3%npp^72qptol(LlOZnG$2a<`{+Rt6YQc=-<=s8oxp+J%(Bras3D25!J1dGVP!1
z6+Wd;N7@rY;19>FFl(3aTsbQVuMkvLKU`Z}U-mv&dH#5LeQkZ^`R0bItUljddH(UT
zy6|vyeN(M3uRPz_TzvKnT<agc0Q-cx{e11&$B(_2s~@j>x7L?GU0oknA8(^gsJp8l
zdmk>o^q#N2Q17ljKeFkqfBf8AeePYq;5}OYWMyd?MQyA+e!l!DC|x~T-dtYVTz)j6
z%Im97m!F3z<<-^AXRC{kme<wf#N^aOQN6qTY-#nw<*ZtGw!FBp?0vGbv9hT)wMY{y
ztH&TXnh<CLh`PAGzPj$2Hlf{YFI%Q6i_e#qpQ#II>7&KXMeoH5u!qauv(=5w3H4%S
zZQ0vwEE~DctLiG-@2xLGH7~svi_bT`%~kd8{KEXzOWwr9gl9y0u?UGaK3-Z{-q`ry
zW6g`A(7LK9V3Ar5<EVCRS!vC#FE6crvb_G%TUuOylvP)k5%C_aLW-3Qux&P0Ki*Wf
zQ_ib-(@oEpU#Nu}7Z)zv*h!N4t2b|5xN>EuB;WL}RnFq(%Ib5qxw`5-TzNd9!sHE2
z-1rbJpHPiucF2T!cYXEw<FKzdxUc9x%23I2w^)Gd_df3Z)_XtzH(s9*MEuex2x%|Y
zpqf=?x{GSMy8I%ng&nfAx(-ck2E++P>e~A1((<E^VcgV|w#4VlFtg27blKYS;wE}j
z`geU<TM5!uo_p_m8x!j0;^yi`W97=?!wq%o#>IQrZm8le|J3<>9)F9G|A@sA#*!Kx
z&}fHBq?O_<h=&>xv;%n@z2BPhR#dXr$*_=8M=v;UA|)1g^pB>-OA7B!%D?u66ODGb
zs7n`218?x}d4~UNrcM+dAMfN~zsWB6EO82c!P$i0#lw0P?x}fs8E60v{WY1cfa^c!
zs*m6%gy9NT1%cTQ5%Tx~;Bo-?{a=Nb>$#}nAH4rTYJrKL!rgij<92|%rL*U_xV_w%
z-*dO(w{tEQK#rvcf|B+22k@RPFL87ADT~O%z5k3e<7>FISs{S}^oIG_XWW#T_MD}}
zchV-tsWu91{l4G($1f24^>2Tm;u|cj^kU!8NlK75cKVEw<17e3LAjO*{K+p#nASB9
z7V3yrKB9&u+NUImjW9dI>9+eHt^L)nKBwS-*EJR2JNA}D4)^qK{yukqTs{FG!@cVH
z7JN2!Kb<KB==BZNUtZZ<T7|jZl)3Y5%q@$LmrvtQw|(uuTQ~0cMOeiRxJ@{exTAmY
zNoY|?*cSLep}D-8p*dAmNR7FsC+hf%mqp9_wW5R!D6b1Kj+28XJjYbT0nHc{*h~qy
zn4kF=4r@00yJMQqlohEDdHR)NJ%BR-_R7j52|D(j2yQpFN`Kve1S5%H+*hCkZ7Zzn
zJmPdaW85U!mM|A3)y!4~(00-e`7Hk#!-KZ$^3U|u)3B#^VHEO=4s@|f{B!Ljo&V#X
zp&y7y&5<4uI3|TQjDYQ8c+iBy2-#lJqJ0<kBC+#unnA+m7?o>vWKu{9Kx;jW8EqO)
zE2xbId_Y8=*BWDqlp^dy+e?((wu*{j{1rk|53o=d+O9~Eq7Y(%Q0h#Z_UWk|JB)qh
zefSM~N_UHV=!WtrCd;*9&>iiRK_?p0Hk?^BF|b><i9NSlNG&m4YpYu-wT0|fOWW}O
z@?ZVD(ud~Ptj*MFvV}1z)t08&sAg70weJ?P0H!ni4#J@Qx}$7y>@<sa+0G#mIh5`r
z<BM`hjr?Qx%su~x-9u~8c_j?Zge?%-PFToi%t=@!Pk@W)<Q3sHhT2#nhZ<XNLv|G7
z=hlEA1Z)9&Z9*3H3Vq0eNQ+_z1Cu@&$kjzg&8MxKeZwNCdxqx_vbOUGDGh0@*lSHQ
zB}Q?RN0XE>3D81JA9+F1mKhC+NB(6pO0BKRM-y5XD3X$V8%|)@P)H@t6pJ$l>trbi
zb|~jH$U6dyFo|3?zP`kRTW8L^+_5N=ou$2|ckb1}t?iOgi*(dA9p$F$Uh7^vxOH&r
z+$+lP9sENOKz~W8%vxy4Fnw4DlDWIZo)de4WV^~Fm6zeis$NNznE3VHuv7uXH34PF
zc<LvIewArc88$Sd>iw#}P3d?0997p-DJE8?sYn#oz*d6V+|Jjgon)t?w6%&y;bqFE
zyn?+Z_VpgK0)D(ekGa1yZ<}~*J%EY>NF&(*QH$sk+QK}7*^q|~o<x|Qcm`iPmEb1$
z9^4hh>rKEA?~KqrW^c`;gVH&1y{FW(!mAk+GJ~|4XDX4&yuwI}#oLsd!9NviYg6%V
zrm6&Yp#razzOL5PfC%KF{;8LMg7W%D%obZE{?}joHKYth%RwYy7DU=3II>fIfmbSa
z@}!DQpM+pDY_D=h@K68t>a&?lb3rB5777dAEtLp|+;^IJ--`;wa+^eY)g0ZHt_fjX
z2Q9mY1g6<;a)Ya0(={{Ce(&eB@ZgHYbT@ye*k7cWy7v$<MKm|1MWD5omVRahkj(4K
zeP~M*O5j^YE1{9=;6dTA6aB$6mS6>^F#xQMojYgZO?o2(r$CcNbf&wBQU|H7+G6^j
z)>BC(+=<b1fev%$U>`&0awqrbz!U|_=;;9!r=|cfv9pKHpR=v;klnUO|7w(G5!RuT
zIh8zj&Lf}_6QBatbN+ncOg{=cQ#gNKx#!Mhipm{0Juz-&&Z)$ibFp)%sCcIPOi{JZ
zoNF6uJBP7z@?7%VNtKv6o1hqnCr(f0V578&KoVC3c$HCZGLsZz{hxnRh#bvS4`)X`
z9d76|;z!z#;zId<$&an8WCvUZ?hUwuaEIW=;fip_;ZDPq;C#5Z;cmmd2e$<G1nwia
zEx6ZkXw2V%AA^2Ua6NGQ;0ED5xI=Jn!cD@>z@3Nl;ogS31$P&&4)+-DDcl;INc=*u
zzcXL{M#G=~3~E1511Q1U<IxrbdIL-lrVE63qZ9TvR<4BA&CSK7ryi~gai_-n)@Q4T
z>Kna>E6-LoU#dCWZ+agre*A1xy}kV5DsDU_Qk<NcK7QilTQjFFlq=PXzUt2;6o-5A
zI6OYRyd-tQ=lvlsdX{l{=6pjwHVaFaauP6l!MV2|RaLdDK2a-b3E{lL9Vo(e^?_Q{
zluPP1s8zKA-UYaCtD>4xC)Kois7|O!;BTrK{9i)+O?4cUX{5fXPQfSsCb*W6zKmEA
z)JGcs0MyS=no_;-x7AJMt6Ms~sIvAo7PEtZq<=dY+sqp(UhwgLDgDk#_<iO&?v0~d
z?ewpDU*>h+J8*m!GYgmg0NzXH2V@3c!#@{$+;-b}8(1U#<v%1@e^`0|82hGY3m$+a
zoSst`E}YD;3;^fz?vdVa{rle{ufR8LA0_YxlhdEh55H*NW1eTTydSS5>}2q7$8()d
z2|bj146Y1UeaqYm26g?2Qz*6f4lh}$v%7GB^Adb(NJ9ABUpZto18P!V&UW42d;r=y
z9N<6x47|3#{uSQU3h)6Xz*zn7{WIX{Kl-n`3ajJ5c;gP(y!_Yy9fJ4%!!N@B<i>R_
zhrFVlgaaHgtKe%R8XqJA!hv*s3DLI4N0077NUJz9lO5!x=7-~N_oZfT-r7hlGv&!A
zB>wKt!W%aN|L@=bwb};*Akc7Xzx&<m+!yVK0~EMi|HUtyV9zl5NrqMj*q?m%*1;<;
z=8i}dJ_mQ#(5cHpxO(jmewB(^ooM`DKlcweS1I1so~_^id&$_p`_F|X@SiONXn<_7
zmmb4)JP{gk3jAC@mb?b+^^NZ92pVR`@K--SY=o9SW~O2ZEQ!3IN$7V5!3xkb2EzD>
z2P)}&OC|TioqAtS-0+9%7P}-E{EkIUd#KM=3uel}&u8?@PiRQFfv?mmF7>|+2NL`O
zUXjE<$JP67ZIaHr^H*=*ENi^kqd6)4eor&~r?H=E;HMh+sRn+kfuCyN|3eL={%@wq
BzNG*F

literal 0
HcmV?d00001

diff --git a/legacy/fw_signatures.c b/legacy/fw_signatures.c
index 4317f8b9b..c887b1e40 100644
--- a/legacy/fw_signatures.c
+++ b/legacy/fw_signatures.c
@@ -64,6 +64,30 @@ static const uint8_t * const pubkey_v3[PUBKEYS] = {
 
 // the "new", or second signing scheme keys
 
+#if BOOTLOADER_QA
+/*
+ Previously used for QA bootloader upgrade tests
+
+ Debug private keys for v2 (previously called "new") scheme
+ corresponding to pubkeys below as python hexstring array:
+
+
+ ['4444444444444444444444444444444444444444444444444444444444444444',
+  '4545454545454545454545454545454545454545454545454545454545454545',
+  'bfc4bca9c9c228a16639d3503d999a733a439210b64cebe757a4fd03ca46a5c8',
+  '5518381d95e93e8eb68a294354989906e3828f36b4556a2ad85d8333294eb1b7',
+  '1d1d34168760dec092c9ff89377d8659076d2dfd95e0281719c15f90d067e211']
+ */
+
+static const uint8_t * const pubkey_v2[PUBKEYS] = {
+    (const uint8_t *)"\x03\x2c\x0b\x7c\xf9\x53\x24\xa0\x7d\x05\x39\x8b\x24\x01\x74\xdc\x0c\x2b\xe4\x44\xd9\x6b\x15\x9a\xa6\xc7\xf7\xb1\xe6\x68\x68\x09\x91",
+    (const uint8_t *)"\x02\xed\xab\xbd\x16\xb4\x1c\x83\x71\xb9\x2e\xf2\xf0\x4c\x11\x85\xb4\xf0\x3b\x6d\xcd\x52\xba\x9b\x78\xd9\xd7\xc8\x9c\x8f\x22\x11\x45",
+    (const uint8_t *)"\x03\x66\x5f\x66\x0a\x50\x52\xbe\x7a\x95\x54\x6a\x02\x17\x90\x58\xd9\x3d\x3e\x08\xa7\x79\x73\x49\x14\x59\x43\x46\x07\x5b\xb0\xaf\xd4",
+    (const uint8_t *)"\x03\x66\x63\x5d\x99\x94\x17\xb6\x55\x66\x86\x6c\x65\x63\x0d\x97\x7a\x7a\xe7\x23\xfe\x5f\x6c\x4c\xd1\x7f\xa0\x0f\x08\x8b\xa1\x84\xc1",
+    (const uint8_t *)"\x03\xf3\x6c\x7d\x0f\xb6\x15\xad\xa4\x3d\x71\x88\x58\x0f\x15\xeb\xda\x22\xd6\xf6\xb9\xb1\xa9\x2b\xff\x16\xc6\x93\x77\x99\xdc\xbc\x66"
+    };
+#else
+
 /*
  Debug private keys for v2 (previously called "new") scheme
  corresponding to pubkeys below as python hexstring array:
@@ -81,8 +105,10 @@ static const uint8_t * const pubkey_v2[PUBKEYS] = {
         (const uint8_t *)"\x03\x66\x63\x5d\x99\x94\x17\xb6\x55\x66\x86\x6c\x65\x63\x0d\x97\x7a\x7a\xe7\x23\xfe\x5f\x6c\x4c\xd1\x7f\xa0\x0f\x08\x8b\xa1\x84\xc1",
         (const uint8_t *)"\x03\xf3\x6c\x7d\x0f\xb6\x15\xad\xa4\x3d\x71\x88\x58\x0f\x15\xeb\xda\x22\xd6\xf6\xb9\xb1\xa9\x2b\xff\x16\xc6\x93\x77\x99\xdc\xbc\x66"
 };
-#else
+#endif
 
+#else
+#error NOT IMPLEMENTED
 // These public keys are production keys
 // - used in production devices
 
diff --git a/legacy/intermediate_fw/Makefile b/legacy/intermediate_fw/Makefile
index 35255a2f9..166ddbfb9 100644
--- a/legacy/intermediate_fw/Makefile
+++ b/legacy/intermediate_fw/Makefile
@@ -44,10 +44,15 @@ endif
 	@printf "  MAKO    $@\n"
 	$(Q)$(PYTHON) ../vendor/trezor-common/tools/cointool.py render $(MAKO_RENDER_FLAG) $@.mako
 
+ifeq ($(BOOTLOADER_QA), 0)
 bl_data.h: bl_data.py bootloader.dat
-	@printf "  PYTHON  bl_data.py\n"
-	$(Q)$(PYTHON) bl_data.py
-
+	@printf "  PYTHON  bl_data.py bootloader.dat\n"
+	$(Q)$(PYTHON) bl_data.py bootloader.dat
+else
+bl_data.h: bl_data.py bootloader_qa.dat
+	@printf "  PYTHON  bl_data.py bootloader_qa.dat\n"
+	$(Q)$(PYTHON) bl_data.py bootloader_qa.dat
+endif
 clean::
 	rm -f bl_data.h
 	find -maxdepth 1 -name "*.mako" | sed 's/.mako$$//' | xargs rm -f
diff --git a/legacy/intermediate_fw/bootloader_qa.dat b/legacy/intermediate_fw/bootloader_qa.dat
new file mode 120000
index 000000000..b50597d6f
--- /dev/null
+++ b/legacy/intermediate_fw/bootloader_qa.dat
@@ -0,0 +1 @@
+../firmware/bootloader_qa.dat
\ No newline at end of file
diff --git a/legacy/memory.c b/legacy/memory.c
index 39cebb3f9..9f66b94ca 100644
--- a/legacy/memory.c
+++ b/legacy/memory.c
@@ -30,6 +30,9 @@
 
 void memory_protect(void) {
 #if PRODUCTION
+#if BOOTLOADER_QA
+#error BOOTLOADER_QA must be built with PRODUCTION=0
+#endif
   // Reference STM32F205 Flash programming manual revision 5
   // http://www.st.com/resource/en/programming_manual/cd00233952.pdf Section 2.6
   // Option bytes
@@ -73,11 +76,16 @@ void memory_protect(void) {
 // example in STM32F427, where the protection bits are read correctly
 // from OPTION_BYTES and not form FLASH_OPCTR register.
 //
-// Read protection is unaffected and always stays locked to the desired value.
+// Read protection is set to level 2.
 void memory_write_unlock(void) {
+#if PRODUCTION
+#if BOOTLOADER_QA
+#error BOOTLOADER_QA must be built with PRODUCTION=0
+#endif
   flash_unlock_option_bytes();
   flash_program_option_bytes(0x0FFFCCEC);
   flash_lock_option_bytes();
+#endif
 }
 
 int memory_bootloader_hash(uint8_t *hash) {
diff --git a/legacy/script/update_bootloader.py b/legacy/script/update_bootloader.py
index 7e32f58ea..14b281430 100755
--- a/legacy/script/update_bootloader.py
+++ b/legacy/script/update_bootloader.py
@@ -11,12 +11,14 @@ LEGACY_ROOT = Path(__file__).parent.parent.resolve()
 
 BOOTLOADER_BUILT = LEGACY_ROOT / "bootloader" / "bootloader.bin"
 BOOTLOADER_IMAGE = LEGACY_ROOT / "firmware" / "bootloader.dat"
+BOOTLOADER_QA_IMAGE = LEGACY_ROOT / "firmware" / "bootloader_qa.dat"
 
 BOOTLOADER_VERSION = LEGACY_ROOT / "bootloader" / "version.h"
 FIRMWARE_VERSION = LEGACY_ROOT / "firmware" / "version.h"
 
 BL_CHECK_C = LEGACY_ROOT / "firmware" / "bl_check.c"
 BL_CHECK_TXT = LEGACY_ROOT / "firmware" / "bl_check.txt"
+BL_CHECK_QA_TXT = LEGACY_ROOT / "firmware" / "bl_check_qa.txt"
 
 BL_CHECK_PATTERN = """\
   if (0 ==
@@ -30,6 +32,13 @@ BL_CHECK_PATTERN = """\
 BL_CHECK_AUTO_BEGIN = "  // BEGIN AUTO-GENERATED BOOTLOADER ENTRIES (bl_check.txt)\n"
 BL_CHECK_AUTO_END = "  // END AUTO-GENERATED BOOTLOADER ENTRIES (bl_check.txt)\n"
 
+BL_CHECK_AUTO_QA_BEGIN = (
+    "  // BEGIN AUTO-GENERATED QA BOOTLOADER ENTRIES (bl_check_qa.txt)\n"
+)
+BL_CHECK_AUTO_QA_END = (
+    "  // END AUTO-GENERATED QA BOOTLOADER ENTRIES (bl_check_qa.txt)\n"
+)
+
 
 def cstrify(data: bytes) -> str:
     """Convert bytes to C string literal.
@@ -53,25 +62,28 @@ def load_version(filename: Path) -> str:
     return "{major}.{minor}.{patch}".format(**vdict)
 
 
-def load_hash_entries() -> dict[bytes, str]:
+def load_hash_entries(txt_file) -> dict[bytes, str]:
     """Load hash entries from bl_check.txt"""
     return {
         bytes.fromhex(digest): comment
         for digest, comment in (
-            line.split(" ", maxsplit=1)
-            for line in BL_CHECK_TXT.read_text().splitlines()
+            line.split(" ", maxsplit=1) for line in txt_file.read_text().splitlines()
         )
     }
 
 
-def regenerate_bl_check(hash_entries: t.Iterable[tuple[bytes, str]]) -> None:
+def regenerate_bl_check(
+    hash_entries: t.Iterable[tuple[bytes, str]],
+    begin,
+    end,
+) -> None:
     """Regenerate bl_check.c with given hash entries."""
     bl_check_new = []
     with open(BL_CHECK_C) as f:
         # read up to AUTO-BEGIN
         for line in f:
             bl_check_new.append(line)
-            if line == BL_CHECK_AUTO_BEGIN:
+            if line == begin:
                 break
 
         # generate new sections
@@ -86,7 +98,7 @@ def regenerate_bl_check(hash_entries: t.Iterable[tuple[bytes, str]]) -> None:
 
         # consume up to AUTO-END
         for line in f:
-            if line == BL_CHECK_AUTO_END:
+            if line == end:
                 bl_check_new.append(line)
                 break
 
@@ -98,7 +110,14 @@ def regenerate_bl_check(hash_entries: t.Iterable[tuple[bytes, str]]) -> None:
 
 @click.command()
 @click.option("-c", "--comment", help="Comment for the hash entry.")
-def main(comment: str | None) -> None:
+@click.option(
+    "--qa",
+    is_flag=True,
+    show_default=True,
+    default=False,
+    help="Install as QA bootloader.",
+)
+def main(comment: str | None, qa: bool) -> None:
     """Insert a new bootloader image.
 
     Takes bootloader/boootloader.dat, copies over firmware/bootloader.dat, and adds
@@ -108,7 +127,12 @@ def main(comment: str | None) -> None:
     digest = sha256(sha256(bl_bytes).digest()).digest()
     click.echo("Bootloader digest: " + digest.hex())
 
-    entries = load_hash_entries()
+    txt_file = BL_CHECK_QA_TXT if qa else BL_CHECK_TXT
+    begin = BL_CHECK_AUTO_QA_BEGIN if qa else BL_CHECK_AUTO_BEGIN
+    end = BL_CHECK_AUTO_QA_END if qa else BL_CHECK_AUTO_END
+    image = BOOTLOADER_QA_IMAGE if qa else BOOTLOADER_IMAGE
+
+    entries = load_hash_entries(txt_file)
     if digest in entries:
         click.echo("Bootloader already in bl_check.txt: " + entries[digest])
 
@@ -119,19 +143,23 @@ def main(comment: str | None) -> None:
             comment = f"{bl_version} shipped with fw {fw_version}"
 
         # insert new bootloader
-        with open(BL_CHECK_TXT, "a") as f:
+        with open(txt_file, "a") as f:
             f.write(f"{digest.hex()} {comment}\n")
 
         entries[digest] = comment
         click.echo("Inserted new entry: " + comment)
-    
+
     # rewrite bl_check.c
-    regenerate_bl_check(entries.items())
+    regenerate_bl_check(entries.items(), begin, end)
     click.echo("Regenerated bl_check.c")
 
     # overwrite bootloader.dat
-    BOOTLOADER_IMAGE.write_bytes(bl_bytes)
-    click.echo("Installed bootloader.dat into firmware")
+    image.write_bytes(bl_bytes)
+
+    if qa:
+        click.echo("Installed bootloader_qa.dat into firmware")
+    else:
+        click.echo("Installed bootloader.dat into firmware")
 
 
 if __name__ == "__main__":
diff --git a/legacy/setup.c b/legacy/setup.c
index 21ad3c37d..1537c3fb1 100644
--- a/legacy/setup.c
+++ b/legacy/setup.c
@@ -221,7 +221,7 @@ void mpu_config_bootloader(void) {
 
 // Never use in bootloader! Disables access to PPB (including MPU, NVIC, SCB)
 void mpu_config_firmware(void) {
-#if PRODUCTION
+#if PRODUCTION || BOOTLOADER_QA
   // Disable MPU
   MPU_CTRL = 0;