GeekOTP: an hardware TOTP generator for SUSEID
an idea by ecandino
Updated 4 days ago. 9 hacker ♥️. 2 followers. Has no hacker: grab it!

drawing

Description

GeekOTP is a SUSE Hackweek project aimed at building a multi-account, physically secure Time-based One-Time Password (TOTP) generator using the Raspberry Pi Pico 2 W and the TinyGo environment.
The device functions as a dedicated, trusted hardware token, emphasizing both security and user-friendly provisioning.

The device leverages its built-in Wi-Fi to enable a custom Over-the-Air (OTA) update capability. When triggered, the Pico 2 W hosts a minimal TinyGo HTTP server that listens for an updated bundle of encrypted secrets. These secrets are protected using AES symmetric encryption, where the decryption key is uniquely derived from the user's secret directional combo and the device's Chip ID, providing strong hardware-bound security.

Goals

The primary goals are to explore advanced embedded programming, secure network server functionality, and hardware-backed security principles:

  • Pico 2 Hardware Mastery: Utilize the TinyGo environment to configure and drive all required components: the RP2350's Wi-Fi module, an external OLED display, and the 6-button directional keypad.
  • Secure Over-the-Air Provisioning (OTA Push): Implement a robust TinyGo HTTPS server that the device hosts itself to securely receive and store the encrypted multi-secret bundle pushed from an external computer.
  • Cryptographic Secret Management: Implement the necessary cryptographic primitives in TinyGo (specifically AES decryption) to decrypt the multi-secret bundle.
  • Hardware-Bound Security: Implement a Device-Specific Encryption scheme by deriving the Master Key from the user's secret directional combo and the Pico 2's unique Chip ID. This secures the secrets against simple physical extraction.
  • User-Friendly Security: Design and implement the firmware to use the 6-button keypad to recognize a complex directional combo sequence for fast unlocking and session management.
  • Multi-Account Functionality: Implement a persistent and navigable data structure in firmware to cycle through and generate TOTP codes for various accounts (e.g., SUSEID, GitHub, etc.).

Resources

Results

The initial goal was ambitious, leading to the necessary postponement of the core security features: OTA data transfer and Master Key Encryption (which requires an RTC clock). However, the achieved result and the findings left an optimistic room for the implementation of these components in future development phases. In the end, the GeekOTP project successfully established a functional foundation for developing a secure TOTP hardware token.

Day 1: Establishing Stability and Tooling

The first day was focused entirely on achieving a stable base environment. After the initial hardware setup, including pin soldering on the Pico 2 W and installing the TinyGo toolchain in VS Code, an immediate challenge arose: the internal LED failed to respond, as it is connected to the Wi-Fi chip on the RP2350 rather than a standard pin. This difficulty was overcome by pivoting to an external LED test to validate that the core GPIO pins were functional. A dedicated button for controlled reset and flash operations was then integrated, streamlining the otherwise tedious development loop.

Day 2: Network Challenges and Strategic Pivot

Day two involved the crucial decision to abandon the initial plan for Wi-Fi Access Point (AP) configuration. The stability required for reliable OTA provisioning could not be achieved quickly with the available drivers. A strategic pivot was made to the Bluetooth Low Energy (BLE) stack, which showed immediate promise and stability. The foundation for a GATT Server with custom Services and Characteristics for the secrets exchange was successfully implemented, though initial tests revealed packet size limitations (MTU issues) that would need future resolution.

Day 3: Defining UX and Core Logic

With network options stabilized, development shifted to the core user experience. The structuring of the application around the core TOTP generation logic was initiated, which confirmed the ability to calculate time-based codes within the TinyGo environment. This work unfortunately exposed the necessity of an RTC clock for accurate timekeeping, a component that was not part of the original design scope.

Day 4: Overcoming Input and Output Limitations

This day involved significant design pivots to speed up the development process: the Keypad was determined to be too cumbersome for quick setup, and while a rotary encoder was considered an interesting and fun solution, the spare component available proved unreliable. This led to the final decision to use a minimal Two-Button input scheme (NAV/SELECT). Critically, accidental short-circuiting required replacing the delicate OLED display with the robust HD44780 Character LCD. The final two buttons and the LCD in 4-bit mode were successfully integrated, finalizing the input/output scheme necessary for the menu.

Day 5: Optimization and Power Management

The final day was dedicated to polishing the UI and adding a power feature optimization. The navigation logic was finalized using a very simple menu (Code and Info) to manage settings with only two buttons. The automatic "Screen Off" feature after 10s of inactivity was implemented, which required modifying the backlight circuit to use an NPN transistor switch. This was successfully controlled via a GPIO pin, completing the functional prototype setup and demonstrating full software command over power management.

The HackWeek was a fun and successful deep dive into the world of secure embedded Go.

While the journey was a series of quick pivots, from Wi-Fi to BLE and from OLED to LCD, the project now stands on a stable hardware and software footing. The new components (RTC clock, integrated input display, and additional rotary encoders) have already been acquired, making future tinkering possible and fun. The complexity encountered while architecting the hierarchical menu framework highlights a possible need within the TinyGo ecosystem, suggesting that this challenging area presents an opportunity to build a standardized, open-source library for easy UI navigation.

The entire project codebase is available for public use and exploration in the enrichman/geekotp GitHub repository.

No Hackers yet

Join this project

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 25

Activity

  • 11 days ago: abergmann liked this project.
  • 12 days ago: pgonin liked this project.
  • 13 days ago: mkoutny liked this project.
  • 13 days ago: ninopaparo liked this project.
  • 13 days ago: iivanov liked this project.
  • 13 days ago: hgalalabdelazizahmed liked this project.
  • 15 days ago: ademicev0 liked this project.
  • 15 days ago: andreabenini liked this project.
  • 15 days ago: juliogonzalezgil liked this project.
  • 15 days ago: ecandino originated this project.


    • Comments

    • abergmann
      10 days ago by abergmann | Reply

      Hey Enrico! How far have you come with your TOTP project. I'm working on something similar with a ESP32. add-emoji

      • ecandino
        4 days ago by ecandino | Reply

        Cool! Last year I played a bit with those (cheaper and very powerful) but the ESP32 is (still?) lacking the TinyGo support for WiFi and Bluetooth. So the code part was quite challenging for me.

        This year I wanted to try out the Pico 2 W because of the TinyGo support. And using Go with it was a breeze!

        I added a summary of the hackweek, quite challenging, but very fun!

    • lkocman
      5 days ago by lkocman | Reply

      Hello @ecandino , can you please write a summary for what happened during Hackweek25? Your project has a potential for a large outreach impact.Thank you

      • ecandino
        4 days ago by ecandino | Reply

        Hi @lkocman, I have edited the description adding the results, and the daily breakdown of the development! Thank you!

    Similar Projects

    This project is one of its kind!