Coreboot/Heads flashing help/services?

Sorry to interrupt, but this seems a good place to ask.

I live in east Texas, I have not been very successful in doing Heads Flash to a Lenovo X-230.

I felt that there might be someone not to far away from me physically, who has done a number of these, who might work out some kind of deal $$ to accomplish Heads Flashing?

You may reply PM if you choose.

note to mods

I think this deserves a specific thread @moderators on which a list of existing coreboot flashing services should be promoted? There should be no distinction to be made between coreboot flashing services and Heads flashing services, even less since Basic boot mode (referred above) exists. Heads can be flashed without bounding it to any USB security dongle nor provisioning any secret. Therefore an end user could just reflash internally upon reception of the hardware and not trust the firmware and go from there.

1 Like

Do I understand that I should not trust the firmware, because it was not done in front of me. Or is this just an entry to make until I used a Librem or Nitro Key to be set?

Am I not gaining anything by allowing someone else to do the first Heads flash?

Now things are a bit out of context, unfortunately since post has been moved to a new thread.


If Heads is flashed by a third party, you trust that third party, until you reflash yourself internally, having verified the hash of the firmware yourself, and then remotely attesting the trusted firmware integrity feature, enabling anti-interdiction and remote attestation for in-transit tampering detection.

Basic mode permits, for the first time, to have Heads being flashed as a service, just like people flash libreboot or skulls, which are coreboot distributions, without enabling any of Heads security features enabled. This means no need to buy and couple OpenGPG smartcard to be provisioned by third party, no OS preinstallation necessity: it just permits a third party to do the first external flash which might be complicated for some, even more depending on the hardware in question where those SPI chips are not so easy to access.

Basic mode goal is exactly that: not enforce any security mechanism. It could permit third party to address your first comment on the other thread: the initial burden of externally flashing the hardware, and then permitting you to internally flash your hardware to a firmware image you verified the integrity yourself. You would still have to trust to a certain level that third party to a certain extent, after all, that human will have access to the hardware insides.

When you buy a laptop flashed with Heads from online sellers, those normally provide physical seals and pictures of them, QR code sharing, and coupling a Nitrokey Pro/Librem Key/Nitrokey Storage for HOTP firmware integrity atestation, which third party also preinstall on OS for which /boot content is signed and verified by the public key fused into ROM, bound to the private key on the OpenGPG smartcard of the USB security dongle. I is recommended to reown security components of the hardware upon reception of the hardware anyway. For paranoids, it is also recommended to internally flash/upgrade the firmware at that point, so that the LUKS encryption key is yours only (reencrypting installation) and generating new subkeys on your OpenGPG smartcard, so they are yours only as well. The short version of this is : Heads coming pre-provisioned’s goal is in-transit tampering detection. If you reflash and re-own those components at reception of the hardware (recommended) then the risks are that the hardware might have had implants inserted. It is always better to have a person flash in front of you (or you flash yourself) to guarantee that nothing has been tampered in the hardware itself. But if those are impossible for yourself, having the firmware flashed by a third party might be a viable option.

What i’m basically telling here is that since Basic mode arrival under Heads, laptops could be flashed with Heads as a service without those bundled additional services, which could be beneficial or not for you.

But Heads is just that: a firmware image you can either build yourself or download and verify prior of flashing, after which security mechanisms are to be applied in place for you to be able to attest and verify the the state of your firmware on succeeding reboots. And maximized images are exactly that: full spi images that will overwrite the whole content of what is booted from, replacing ME and everything else in SPI flash with a fresh copy, that on next boot will be sealed in TPM on which you will then be alerted of changes.

Ideally you do all of that yourself, but just like for Skulls, libreboot and coreboot: the first external flash is problematic for some, and that service is offered also by some to ease access to coreboot firmware ecosystem.

Here is what I found:

Company Location Hardware Price
Minifree UK Various laptops £99
Vikings Germany Various servers, workstations, and laptops €49 - €199
3mdeb Poland Selected hardware models Contact for a quote
Technoethical EU and US Various laptops, phones, and other devices Varies depending on the device

I’m not aware of North American coreboot flashers, but it would be interesting to compile such list. Would you be willing to take the task of modifying your now OP with such a compiled list with sources provided in this thread?

1 Like

@catacombs Fablabs are amazing for their dedication into free knowledge sharing and ability to assist into doing those things and might be able to do/help into externally initially flashing the device while you being present.

Here is a non-exhaustive list of fablabs which would benefit of being extended and called/emailed to see if they can help doing this with phisical presence, with sources to extend it with some manual efforts, including the entry for Texas:

Name Country City Contact
Fab Lab Afghanistan Afghanistan Jalalabad Email:
Fab Lab Manchester UK Manchester Email:, Phone: +44 161 839 6324, Address: 42 Edge Street, Manchester M4 1HN, UK
FabLab Valencia Spain Valencia Email:, Phone: +34 963 877 069, Address: Camino de Vera s/n, Edificio 8G, Acceso J, 46022 Valencia, Spain
Fab Lab Oulu Finland Oulu Email:, Phone: +358 294 482 200, Address: Erkki Koiso-Kanttilan katu 3, Linnanmaa Campus, University of Oulu, Finland
Fab Lab San Diego USA San Diego Email:, Phone: +1 619-200-3256, Address: San Diego Central Library @ Joan Λ Irwin Jacobs Common, Innovation Center (8th Floor), 330 Park Blvd., San Diego CA 92101
Fab Lab Baltimore USA Baltimore Email:, Phone: +1 443-840-4466, Address: Community College of Baltimore County Catonsville Campus - Engineering Building Room E-100A, 800 South Rolling Road Baltimore MD 21228
Fab Lab El Paso USA El Paso Email:, Phone: +1 915-209-2656, Address: 601 N. Oregon St. Suite #2 El Paso TX 79901
Fab Lab NOLA USA New Orleans Email:, Phone: +1 504-671-5012, Address: Delgado Community College City Park Campus - Building One Room W-101A New Orleans LA 70119
Fab Lab Houston USA Houston Email:, Phone: +1 713-842-3669, Address: BakerRipley East Aldine Campus - Fab Lab Houston Room A-102 Houston TX 77039
Fab Lab Barcelona Spain Barcelona Email:, Phone: +34 933 209 637, Address: Pujades 102 baixos Poble Nou Barcelona Spain
Fab Lab Kerala India Kerala Email:, Phone: +91 4712 7220 00 / +91 4842 4210 00 / +91 4952 4210 00 / +91
1 Like

Insurgo. Thank you very much. I will look into this.

My brother has been in the ER since last night, and I have been a bit busy.

No Such User Here

Sorry to hear that for your brother. Hang on!

That information was automatically generated based on old sources it seems.

Note that fablabs are “regulated” terminology and the official source for registered fablabs is at as opposed to MakerSpaces which should also be investigated. You can ask them if they have SOIC8/SOIC16 clips (depending on models to flash) and ch341a 1.6+ programmers and/or bring your own (and even donate some if you can. Buying those bulk is not much more expensive then buying one over alibaba or ebay).

It seems that Fab Lab Houston | FabLabs is more updated then the information I automatically generated through a bing creative chat. Here is an updated generated list focused on fablabs having CNC printers and a known to have an electronic focus:

Name Country City Contact Street Address Website
Fab Lab Oulu Finland Oulu, +358 294 482 200 Pentti Kaiteran katu 1, 90570 Oulu, Finland Fab Lab Oulu
Fab Lab Barcelona Spain Barcelona, +34 93 512 02 12 Carrer de Pujades, 102, 08005 Barcelona, Spain Fab Lab Barcelona
Fab Lab Berlin Germany Berlin, +49 30 8145 3994 Prenzlauer Allee 242, 10405 Berlin, Germany Fab Lab Berlin
Fab Lab Lisboa Portugal Lisbon, +351 21 817 0400 Rua da Boavista, nº131A, 1200-068 Lisboa, Portugal Fab Lab Lisboa
Fab Lab London United Kingdom London, +44 20 7253 2277 The City Centre, 80 Basinghall St, London EC2V 5AR, United Kingdom Fab Lab London
Fab Lab Manchester United Kingdom Manchester, +44 161 839 6324 Chips Building, Lower Ground Floor, New Islington Marina, Manchester M4 6BU, United Kingdom Fab Lab Manchester
Fab Lab Amsterdam (Waag) (Waag Society) Netherlands Amsterdam, +31 20 5579 8900 Nieuwmarkt 4, Amsterdam NL-1012 CR Netherlands [Fab Lab Amsterdam]
Fab Lab Zurich (FabLab Zürich) Switzerland Zurich,+41 44 2730 000 Technoparkstrasse 1,Zurich CH-8005 Switzerland [Fab Lab Zurich]
Fab Lab Wgtn (FabLab Wellington) New Zealand Wellington,+64 4-8015799 ext.63478 Massey University Wellington Campus,Building D Block One Entrance C,Buckle Street Wellington NZ-6011 New Zealand [Fab Lab Wgtn]
Fab Lab Adelaide (FabLab Adelaide) Australia Adelaide,+61-8-8207-7200 The Science Exchange Building,Little Gilbert Street Adelaide SA-5000 Australia [Fab Lab Adelaide]
Fab Lab Dhahran (FabLab Dhahran) Saudi Arabia Dhahran,+966-13-8600-0000 King Fahd University of Petroleum and Minerals,Dhahran SA-31261 Saudi Arabia [Fab Lab Dhahran]
Fab Lab Egypt (FabLab Egypt) Egypt Cairo,+20-2-3336-3310 15 Ahmed Kamel Street,New Maadi Cairo EG-11435 Egypt [Fab Lab Egypt]
Fab Lab Cape Town (FabLab Cape Town) South Africa Cape Town,+27-21-4620-000 75 Harrington Street,Cape Town ZA-8001 South Africa [Fab Lab Cape Town]
Fab Lab Lima (FabLab Lima) Peru Lima,+51-1-4466-7000 Av. Paseo de la República 5895,Miraflores Lima PE-15074 Peru [Fab Lab Lima]
Fab Lab San Diego at MakerPlace San Diego LLC. (MakerPlace) (FabLabSD) (FabLab San Diego) USA San Diego, California, +1 619-225-7288 1022 W Morena Blvd Suite H San Diego CA 92110 [Fab Lab San Diego]
Fab Lab Baltimore at CCBC (FabLab Baltimore) (CCBC Fab Lab) USA Baltimore, Maryland, +1 443-840-4465 800 South Rolling Road Catonsville MD 21228 [Fab Lab Baltimore]
Fab Lab Houston USA Houston, Texas, +1 346-570-4446 3000 Aldine Mail Route Road, Building B, Houston, Texas, 77039, United States of America [Fab Lab Houston]
Fab Lab at WorkChops (WorkChops Fab Lab) (FabLab WorkChops) USA Media, Pennsylvania, +1 610-565-3677 9 State Rd Media PA 19063 [Fab Lab at WorkChops]
Incite Focus (Incite Focus Fab Lab) (FabLab Incite Focus) USA Detroit, Michigan, +1 313-444-4836 5555 Conner St Detroit MI 48213 [Incite Focus]
The Gregory School Fab Lab (Gregory School Fab Lab) (FabLab Gregory School) USA Tucson, Arizona, +1 520-327-6395 3231 N Craycroft Rd Tucson AZ 85712 [The Gregory School Fab Lab]

Source: Conversation with Bing, 8/16/2023
(1) undefined. Fab Lab Berlin | Berlin.
(2) undefined.
(3) Fab Lab Berlin | FabLabs. Fab Lab Berlin | FabLabs.
(4) undefined. Protolabs Network | On-demand manufacturing for custom parts.
(5) undefined. Login to Meetup | Meetup.
(6) undefined.
(7) How MIT’s fab labs scaled around the world. How MIT’s fab labs scaled around the world | MIT News | Massachusetts Institute of Technology.
(8) Home | Fab Lab Website.
(9) Fab Lab Network. Fab Lab Network.

I will not maintain those lists! Just showing that they are accessible and fablabs/makerspace should be visited more often. If unaware of coreboot (possible but improbable) they should be trained once to it and then knowledge will trickle down and propagate as it should.

I have to say that i’m in love with Bing (web search) on top of GPT4 in creative mode. There is no reason to not have a qube connected to a vpn (bing doesn’t love tor without bridge relay, otherwise connectivity issues/captcha) and use this service as long as it is detached from your own real identity and would not go back without that kind of a co-pilot on my work/coding related tasks for research. This post is not about bing. So please do not continue in that direction here. But that service is unbelievably useful to get around problems without known solutions and use creative ways to solve them.

1 Like

Anyone can report local coreboot flashing services they encountered in their searches?