SecureGen v2.2 + v2.3: Upgrading to ESP32-S3, Native USB HID, and Implementing Duress Decoy Vaults

SecureGen v2.2 + v2.3: Upgrading to ESP32-S3, Native USB HID, and Implementing Duress Decoy Vaults

# password# authenticator# securegen# lilygo
SecureGen v2.2 + v2.3: Upgrading to ESP32-S3, Native USB HID, and Implementing Duress Decoy Vaultsmakepkg

๐Ÿšจ SecureGen v2.2 + v2.3: Upgrading to ESP32-S3, Native USB HID, and Implementing Duress...

๐Ÿšจ SecureGen v2.2 + v2.3: Upgrading to ESP32-S3, Native USB HID, and Implementing Duress Decoy Vaults

A few months ago, I shared the security architecture of SecureGenโ€”an open-source, air-gapped hardware password manager and TOTP authenticator built with application-layer AES-256-GCM encryption.

Since then, the project has gone through two massive iterations (v2.2.0 and v2.3.0). We officially migrated the architecture to support the ESP32-S3, implemented native USB HID execution, and added a physical threat-model feature straight out of a spy movie: Duress PINs with instant memory zeroing and decoy vaults.

Here is a breakdown of what we built over the last two months and the engineering challenges behind them.
๐Ÿ› ๏ธ The Hardware Evolution: Moving to ESP32-S3 & Native USB-OTG

While the original ESP32 was great, it lacked native USB capabilities, forcing us to rely purely on Bluetooth (BLE) for keyboard emulation.

In v2.2.0, we introduced full support for the LILYGO T-Display-S3 board. This upgrade fundamentally changed the deviceโ€™s capabilities:

8MB PSRAM & 1.9" Parallel Display (170ร—320): Massive UI upgrade and way more breathing room for handling concurrent encrypted web server sessions.

Hardware Accelerated AES: Cryptographic operations are now significantly faster compared to the legacy ESP32 chip.
Enter fullscreen mode Exit fullscreen mode 

Native USB HID Keyboard: Thanks to the S3's native USB-OTG, you can now plug the device directly into a server or PC and inject credentials over a hardware lineโ€”completely bypassing BLE pairing. You can switch this mode on or off via the local web cabinet.
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”’ The Duress PIN: Memory Zeroing & Decoy Vaults

In v2.3.0, we addressed physical coercion threat models. What happens if someone physically forces you to enter your PIN to unlock your hardware vault?

We implemented a Multi-Layer Duress PIN system.

[User Enters PIN]
โ”‚
โ”œโ”€โ”€โ–บ Correct PIN โ”€โ”€โ–บ Decrypts Master Key โ”€โ”€โ–บ Loads Real Vault
โ”‚
โ””โ”€โ”€โ–บ Duress PIN โ”€โ”€โ–บ Triggers Advanced Memory Zeroing
โ”‚
โ”œโ”€โ”€โ–บ Wipes RAM & Crypto Keys
โ””โ”€โ”€โ–บ Swaps real LittleFS storage with Decoy Accounts

When the Duress PIN is entered:

The device detects the duress flag before parsing the actual storage.

It triggers an advanced memory zeroing cycle, scrubbing all active session keys and real TOTP secrets from RAM.

The real vault file handles are isolated, and the firmware instantly swaps the interface with a completely valid, pre-configured Decoy Vault filled with fake accounts.
Enter fullscreen mode Exit fullscreen mode

To an attacker, the device looks completely unlocked, but your real cryptographic keys are completely gone from volatile memory.
๐Ÿ›ก๏ธ Cryptographic Polish & "Anti-Stupid" Verification

We also closed several logical security loopholes in the v2.3.0 release:

Credential Validation on Registration: The firmware now enforces strict checks preventing users from including their login name inside their master passwords.

Convincing Mimicry Headers: The obfuscation layer on the AsyncWebServer was upgraded. It now generates highly convincing decoy Authorization and Session headers to mask internal API endpoints, confusing anyone sniffing local Access Point (AP) mode traffic.

Persistent AP Lifecycles: Fixed a critical session lifecycle bug in AP mode where sessions could theoretically persist across soft AP restarts. Now, restarting AP mode strictly invalidates and flushes the token table.
Enter fullscreen mode Exit fullscreen mode

๐Ÿ› Squashing the Brutal Bugs

If you have ever developed an asynchronous web server on the ESP32 under memory pressure, you know it can be a nightmare. We squashed two major stability bugs:

AsyncWebServer Double-Send Crashes: Fixed a race condition in the HTTP request body handlers where a client disconnect during large chunked transfers triggered a double-send response, causing a hard panic.

The BLE Zero-Padding Bug: When broadcasting the random BLE PIN, the display logic was dropping leading zeros, showing 6 instead of 000006. This has been fixed to ensure strict zero-padded strings.

UI Element ID Drag-and-Drop Desync: Moving rows via drag-and-drop physically moved the DOM elements, but their bound timer IDs (timer-0, progress-0) stayed in place. We rewrote the post-drop handler to call updateKeysTable() and cleanly rebuild the table schema dynamically.
Enter fullscreen mode Exit fullscreen mode

๐Ÿ“ˆ Roadmap & Documentation

To support this new multi-board ecosystem, we released two massive community guides:

RTC Mastering Guide: Complete wiring layouts for connecting a external high-accuracy DS3231 hardware clock via I2C to handle air-gapped Offline TOTP generation without NTP sync.

Porting Guide: Step-by-step documentation for custom platformio.ini setups, defining custom deep sleep wake pins, and tweaking display geometry for any third-party ESP32/S3 developer board.
Enter fullscreen mode Exit fullscreen mode

๐Ÿ”— Explore the Project

The project remains 100% open-source, trustless, and cloud-free.

๐Ÿš€ GitHub Repository: https://github.com/makepkg/SecureGen

๐Ÿ’ป Flash directly from your browser (Chrome/Edge): https://makepkg.github.io/SecureGen/flash

๐Ÿ› ๏ธ Hackster Project: https://www.hackster.io/makepkg/securegen-open-source-totp-authenticator-password-manager-c350d6
Enter fullscreen mode Exit fullscreen mode

Have you ever built a decoy system or worked with the ESP32-S3's native USB HID? Let's talk about firmware security and physical threat models in the comments below!