diff --git a/README.md b/README.md
index 08e9f05e..13605fed 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ To print out the serial console from the STM32, run tests/debug_console.py
 
 Hardware
 ------
+
 Check out the hardware [guide](https://github.com/commaai/panda/blob/master/docs/guide.pdf)
 
 Licensing
diff --git a/board/bootstub.c b/board/bootstub.c
index 12195bb0..78e66500 100644
--- a/board/bootstub.c
+++ b/board/bootstub.c
@@ -13,7 +13,28 @@
 
 #include "obj/cert.h"
 
+void lock_bootloader() {
+  if (FLASH->OPTCR & FLASH_OPTCR_nWRP_0) {
+    FLASH->OPTKEYR = 0x08192A3B;
+    FLASH->OPTKEYR = 0x4C5D6E7F;
+
+    // write protect the bootloader
+    FLASH->OPTCR &= ~FLASH_OPTCR_nWRP_0;
+
+    // OPT program
+    FLASH->OPTCR |= FLASH_OPTCR_OPTSTRT;
+    while (FLASH->SR & FLASH_SR_BSY);
+
+    // relock it
+    FLASH->OPTCR |= FLASH_OPTCR_OPTLOCK;
+
+    // reset
+    NVIC_SystemReset();
+  }
+}
+
 void __initialize_hardware_early() {
+  lock_bootloader();
   early();
 }
 
diff --git a/board/main.c b/board/main.c
index e2218fb2..6bd2b2b3 100644
--- a/board/main.c
+++ b/board/main.c
@@ -897,6 +897,8 @@ int main() {
 #endif
   __enable_irq();
 
+  puts("OPTCR: "); puth(FLASH->OPTCR); puts("\n");
+
   // LED should keep on blinking all the time
   uint64_t cnt;
   for (cnt=0;;cnt++) {
diff --git a/board/tools/bl_unlock.py b/board/tools/bl_unlock.py
new file mode 100755
index 00000000..cbb4cb8d
--- /dev/null
+++ b/board/tools/bl_unlock.py
@@ -0,0 +1,64 @@
+#!/usr/bin/env python
+import usb1
+import struct
+from hexdump import hexdump
+
+def dostat():
+  while 1:
+    dat = dev.controlRead(0x21, DFU_GETSTATUS, 0, 0, 6)
+    hexdump(dat)
+    if dat[1] == "\x00":
+      break
+
+context = usb1.USBContext()
+dev = context.openByVendorIDAndProductID(0x0483, 0xdf11)
+dev.claimInterface(0)
+print dev
+
+DFU_DNLOAD = 1
+DFU_UPLOAD = 2
+DFU_GETSTATUS = 3
+DFU_CLRSTATUS = 4
+DFU_ABORT = 6
+
+# Clear status
+stat = dev.controlRead(0x21, DFU_GETSTATUS, 0, 0, 6)
+hexdump(stat)
+if stat[4] == "\x0a":
+  dev.controlRead(0x21, DFU_CLRSTATUS, 0, 0, 0)
+elif stat[4] == "\x09":
+  dev.controlWrite(0x21, DFU_ABORT, 0, 0, "")
+  dostat()
+hexdump(dev.controlRead(0x21, DFU_GETSTATUS, 0, 0, 6))
+
+# Read Unprotect
+#dev.controlWrite(0x21, DFU_DNLOAD, 0, 0, "\x92")
+#hexdump(dev.controlRead(0x21, DFU_GETSTATUS, 0, 0, 6))
+
+# Set Address Pointer
+dev.controlWrite(0x21, DFU_DNLOAD, 0, 0, "\x21" + struct.pack("I", 0x1fffc000))
+dostat()
+
+# Abort
+dev.controlWrite(0x21, DFU_ABORT, 0, 0, "")
+dostat()
+
+# Dump
+val = dev.controlRead(0xA1, DFU_UPLOAD, 2, 0, 0x10)
+hexdump(val)
+
+# Abort
+dev.controlWrite(0x21, DFU_ABORT, 0, 0, "")
+dostat()
+
+# Set Address Pointer
+dev.controlWrite(0x21, DFU_DNLOAD, 0, 0, "\x21" + struct.pack("I", 0x1fffc000))
+dostat()
+
+#val = val[0:8] + "\xfe\x7f\x01\x80"*2
+val = val[0:8] + "\xff\x7f\x00\x80"*2
+
+# Program
+dev.controlWrite(0x21, DFU_DNLOAD, 2, 0, val)
+dostat()
+