diff --git a/Makefile b/Makefile
index e1cbfe3c..28665735 100644
--- a/Makefile
+++ b/Makefile
@@ -180,16 +180,8 @@ gdb_firmware: $(FIRMWARE_BUILD_DIR)/firmware.elf ## start remote gdb session to
 
 ## misc commands:
 
-vendorheader: ## construct and sign the default vendor header
-	./tools/build_vendorheader e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351:d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869:772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef 2 0.0 x.....x DEVELOPMENT assets/vendor_devel.toif embed/firmware/vendorheader.bin
-	./tools/binctl embed/firmware/vendorheader.bin -s 1:2 `./tools/keyctl sign vendorheader embed/firmware/vendorheader.bin 4444444444444444444444444444444444444444444444444444444444444444 4545454545454545454545454545454545454545454545454545454545454545`
-
-vendorheader_sl: ## construct SatoshiLabs vendor header
-	./tools/build_vendorheader 47fbdc84d8abef44fe6abde8f87b6ead821b7082ec63b9f7cc33dc53bf6c708d:9af22a52ab47a93091403612b3d6731a2dfef8a33383048ed7556a20e8b03c81:2218c25f8ba70c82eba8ed6a321df209c0a7643d014f33bf9317846f62923830 2 0.0 ....... SatoshiLabs assets/vendor_satoshilabs.toif embed/firmware/vendorheader_sl.bin
-
 binctl: ## print info about binary files
 	./tools/binctl $(BOOTLOADER_BUILD_DIR)/bootloader.bin
-	./tools/binctl embed/firmware/vendorheader.bin
 	./tools/binctl $(PRODTEST_BUILD_DIR)/prodtest.bin
 	./tools/binctl $(FIRMWARE_BUILD_DIR)/firmware.bin
 
diff --git a/SConscript.firmware b/SConscript.firmware
index 93b407ae..414e459a 100644
--- a/SConscript.firmware
+++ b/SConscript.firmware
@@ -286,7 +286,7 @@ SOURCE_PY.extend(Glob('src/*/*/*/*.py'))
 SOURCE_PY.extend(Glob('src/*/*/*/*/*.py'))
 SOURCE_PY_DIR = 'src/'
 
-env = Environment(ENV=os.environ, CFLAGS=ARGUMENTS.get('CFLAGS', ''))
+env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s' % (ARGUMENTS.get('CFLAGS', ''), ARGUMENTS.get('PRODUCTION', '0')))
 
 env.Tool('micropython')
 
@@ -395,10 +395,12 @@ obj_program.extend(env.Object(source=SOURCE_STMHAL))
 obj_program.extend(env.Object(source=SOURCE_TREZORHAL))
 obj_program.extend(env.Object(source=source_mpyc))
 
+VENDORHEADER = 'embed/vendorheader/vendorheader_' + ('unsafe_signed_dev.bin' if ARGUMENTS.get('PRODUCTION', '0') == '0' else 'satoshilabs_signed_prod.bin')
+
 obj_program.extend(
     env.Command(
         target='embed/firmware/vendorheader.o',
-        source='embed/firmware/vendorheader.bin' if ARGUMENTS.get('PRODUCTION', '0') == '0' else 'embed/firmware/vendorheader_sl_signed.bin',
+        source=VENDORHEADER,
         action='$OBJCOPY -I binary -O elf32-littlearm -B arm'
         ' --rename-section .data=.vendorheader,alloc,load,readonly,contents'
         ' $SOURCE $TARGET', ))
diff --git a/SConscript.prodtest b/SConscript.prodtest
index 993e5b40..c808e888 100644
--- a/SConscript.prodtest
+++ b/SConscript.prodtest
@@ -133,10 +133,12 @@ obj_program += env.Object(source=SOURCE_PRODTEST)
 obj_program += env.Object(source=SOURCE_STMHAL)
 obj_program += env.Object(source=SOURCE_TREZORHAL)
 
+VENDORHEADER = 'embed/vendorheader/vendorheader_' + ('unsafe_signed_dev.bin' if ARGUMENTS.get('PRODUCTION', '0') == '0' else 'satoshilabs_signed_prod.bin')
+
 obj_program.extend(
     env.Command(
         target='embed/prodtest/vendorheader.o',
-        source='embed/firmware/vendorheader.bin' if ARGUMENTS.get('PRODUCTION', '0') == '0' else 'embed/firmware/vendorheader_sl_signed.bin',
+        source=VENDORHEADER,
         action='$OBJCOPY -I binary -O elf32-littlearm -B arm'
         ' --rename-section .data=.vendorheader,alloc,load,readonly,contents'
         ' $SOURCE $TARGET', ))
diff --git a/SConscript.reflash b/SConscript.reflash
index d431efd5..c788af7c 100644
--- a/SConscript.reflash
+++ b/SConscript.reflash
@@ -133,10 +133,12 @@ obj_program += env.Object(source=SOURCE_REFLASH)
 obj_program += env.Object(source=SOURCE_STMHAL)
 obj_program += env.Object(source=SOURCE_TREZORHAL)
 
+VENDORHEADER = 'embed/vendorheader/vendorheader_' + ('unsafe_signed_dev.bin' if ARGUMENTS.get('PRODUCTION', '0') == '0' else 'satoshilabs_signed_prod.bin')
+
 obj_program.extend(
     env.Command(
         target='embed/reflash/vendorheader.o',
-        source='embed/firmware/vendorheader.bin' if ARGUMENTS.get('PRODUCTION', '0') == '0' else 'embed/firmware/vendorheader_sl_signed.bin',
+        source=VENDORHEADER,
         action='$OBJCOPY -I binary -O elf32-littlearm -B arm'
         ' --rename-section .data=.vendorheader,alloc,load,readonly,contents'
         ' $SOURCE $TARGET', ))
diff --git a/assets/vendor_devel.toif b/assets/vendor_devel.toif
deleted file mode 100644
index e4867104..00000000
Binary files a/assets/vendor_devel.toif and /dev/null differ
diff --git a/build-docker.gcc_source.sh b/build-docker.gcc_source.sh
index b597fa41..6d20468c 100755
--- a/build-docker.gcc_source.sh
+++ b/build-docker.gcc_source.sh
@@ -12,4 +12,4 @@ docker run -t -v $(pwd)/build-docker:/build:z $IMAGE /bin/sh -c "\
 	ln -s /build build &&
 	git checkout $TAG && \
 	git submodule update --init --recursive && \
-	make clean vendor vendorheader build_boardloader build_bootloader build_prodtest build_firmware"
+	make clean vendor build_boardloader build_bootloader build_prodtest build_firmware"
diff --git a/build-docker.sh b/build-docker.sh
index 9799b319..1219d76e 100755
--- a/build-docker.sh
+++ b/build-docker.sh
@@ -12,4 +12,4 @@ docker run -t -v $(pwd)/build-docker:/build:z $IMAGE /bin/sh -c "\
 	ln -s /build build &&
 	git checkout $TAG && \
 	git submodule update --init --recursive && \
-	make clean vendor vendorheader build_boardloader build_bootloader build_prodtest build_firmware"
+	make clean vendor build_boardloader build_bootloader build_prodtest build_firmware"
diff --git a/embed/firmware/.gitignore b/embed/firmware/.gitignore
deleted file mode 100644
index 47c8c735..00000000
--- a/embed/firmware/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-vendorheader.bin
diff --git a/embed/vendorheader/generate.sh b/embed/vendorheader/generate.sh
new file mode 100755
index 00000000..0f78b25d
--- /dev/null
+++ b/embed/vendorheader/generate.sh
@@ -0,0 +1,13 @@
+BINCTL=../../tools/binctl
+KEYCTL=../../tools/keyctl
+BUILDVH=../../tools/build_vendorheader
+
+# construct the default unsafe vendor header
+$BUILDVH e28a8970753332bd72fef413e6b0b2ef1b4aadda7aa2c141f233712a6876b351:d4eec1869fb1b8a4e817516ad5a931557cb56805c3eb16e8f3a803d647df7869:772c8a442b7db06e166cfbc1ccbcbcde6f3eba76a4e98ef3ffc519502237d6ef 2 0.0 xxx...x "UNSAFE, DO NOT USE!" vendor_unsafe.toif vendorheader_unsafe_unsigned.bin
+
+# sign the default unsafe vendor header using development keys
+cp -a vendorheader_unsafe_unsigned.bin vendorheader_unsafe_signed_dev.bin
+$BINCTL vendorheader_unsafe_signed_dev.bin -s 1:2 `$KEYCTL sign vendorheader vendorheader_unsafe_signed_dev.bin 4444444444444444444444444444444444444444444444444444444444444444 4545454545454545454545454545454545454545454545454545454545454545`
+
+# construct SatoshiLabs vendor header
+$BUILDVH 47fbdc84d8abef44fe6abde8f87b6ead821b7082ec63b9f7cc33dc53bf6c708d:9af22a52ab47a93091403612b3d6731a2dfef8a33383048ed7556a20e8b03c81:2218c25f8ba70c82eba8ed6a321df209c0a7643d014f33bf9317846f62923830 2 0.0 ....... SatoshiLabs vendor_satoshilabs.toif vendorheader_satoshilabs_unsigned.bin
diff --git a/assets/vendor_satoshilabs.toif b/embed/vendorheader/vendor_satoshilabs.toif
similarity index 100%
rename from assets/vendor_satoshilabs.toif
rename to embed/vendorheader/vendor_satoshilabs.toif
diff --git a/embed/vendorheader/vendor_unsafe.toif b/embed/vendorheader/vendor_unsafe.toif
new file mode 100644
index 00000000..b80e9f35
Binary files /dev/null and b/embed/vendorheader/vendor_unsafe.toif differ
diff --git a/embed/firmware/vendorheader_sl_signed.bin b/embed/vendorheader/vendorheader_satoshilabs_signed_prod.bin
similarity index 100%
rename from embed/firmware/vendorheader_sl_signed.bin
rename to embed/vendorheader/vendorheader_satoshilabs_signed_prod.bin
diff --git a/embed/vendorheader/vendorheader_satoshilabs_unsigned.bin b/embed/vendorheader/vendorheader_satoshilabs_unsigned.bin
new file mode 100644
index 00000000..61f3106a
Binary files /dev/null and b/embed/vendorheader/vendorheader_satoshilabs_unsigned.bin differ
diff --git a/embed/vendorheader/vendorheader_unsafe_signed_dev.bin b/embed/vendorheader/vendorheader_unsafe_signed_dev.bin
new file mode 100644
index 00000000..9c4532ef
Binary files /dev/null and b/embed/vendorheader/vendorheader_unsafe_signed_dev.bin differ
diff --git a/embed/vendorheader/vendorheader_unsafe_unsigned.bin b/embed/vendorheader/vendorheader_unsafe_unsigned.bin
new file mode 100644
index 00000000..aa4f5d0a
Binary files /dev/null and b/embed/vendorheader/vendorheader_unsafe_unsigned.bin differ