Does x230/heads work with Nitrokey 3A NFC?


I’m using an old x230 with heads that I manually configured some time ago using a Nitrokey 2 Pro.
The key stopped working and I finally got a Nitrokey 3A NFC, which I updated to bios 1.5.0 today to add openPGP card functinality.
When I tried to make my heads installation use the new Nitrokey, I seem stuck with TOTP/HOTP.
Heads’ system info says:
NitroPad X230
FW_VER: CBET4000 Heads-v1.3.1
Kernel: Linux 4.14.62-heads

After boot, the warning “Your HOTP USB Security Dongle was not detected. Please insert yout HOTP USB Security Dongle”. The nitrokey is plugged in, and upon clicking OK I get to the Heads Boot Menu, stating a TOTP, and the warning "Error checking code, Insert HOTP USB Security Dongle.

I can boot anyway, so it seems the pcsc interface works OK, but I’d like to know what goes wrong here. Is the heads installation too old? Can I safely upgrade to the most current one listed on Nitrokey Github?
Finally I’d like to know if the x230 heads is even supposed to work with the Nitrokey 3A NFC?


Hey Jan,

Nitrokey 3 only works since (our) HEADS version 2.1 together with the x230 → Release v2.1 - Nitropad NV41 / NS50 / X230 / T430 · Nitrokey/heads · GitHub

Please keep in mind that you’ll need the “legacy” firmware version, the “maximized” needs to be flashed using an external flasher - if you use maximized without initially flashing it using an external flasher, you will brick your x230. (not entirely, but it won’t boot before you flash it externally)…

We also offer a service to do this update, please write shop (at) nitrokey (dot) com if you are interessted.


Hi daringer,
thanks a lot. In the meantime I upgraded the pad firmware to the v1.4 release, but the result is the same.
I’ll try the v2.1 next and report back.

by the way, the Github releases are signed by you, not the key indicated on Nitrokey website. I found the key and the signature is fine, but I’d like it even more if your key were signed.
Download page

External flashing will be next option. I’ve done that before using Pomona SOIC-8 clip and Buspirate (which does not really work, not even with short wires) and then using RasPi, which worked nicely.


Hi daringer,

I just flashed v2.1 and now the TOTP verification works using FreeOTP+ on Android phone. Thank you very much!