Hardware

What's inside the gadget, what each chip does, and how the modules connect to each other. If you're auditing the build for trust, this is the page.

Components

Waveshare RP2350-Touch-LCD-3.5

A single off-the-shelf module bought as one unit and not modified. Bundles five things on one PCB:

  • MCU: Raspberry Pi RP2350B. Dual Cortex-M33, 520 KB SRAM. Hardware TRNG on silicon — this is the source of every OTP key byte. No software random number generator is used to generate key material.
  • Display: 3.5" IPS LCD, 320 × 480, ST7789 controller over SPI. Passive driver chip, no firmware, no radio.
  • Touch: capacitive panel with FT6336U controller over I2C. Passive.
  • PMIC: AXP2101. Handles battery charging, voltage regulation, and the power button. Controlled over I2C.
  • Onboard MicroSD slot: standard TF socket wired to the MCU via SPI. Just contacts and a pinout.

The module also carries a PCF85063 RTC chip on the same internal I2C bus. The firmware uses it for one thing: storing the PIN-cooldown deadline as wall-clock time, so power-cycling the device can't shortcut a cooldown after wrong PIN attempts.

External modules

  • GM861XS QR scanner: UART (TTL 3.3 V). An image sensor plus a small MCU running closed vendor firmware. It decodes QR codes and outputs the decoded text over UART. No on-board storage, no display, no radio.
  • Guest MicroSD breakout: bare passive board with a card socket and a 6-pin header. No regulator, no level shifter, no chips of any kind. Pure passthrough at 3.3 V.
  • Battery: single-cell 3.7 V LiPo, ~1800 mAh.
  • USB-C: built into the Waveshare module. Used for charging and, in development, for flashing firmware. Not used during normal operation.

What is deliberately not on the device

This is the core trust claim. None of the following exist anywhere on the gadget:

  • No Wi-Fi chip
  • No Bluetooth chip
  • No cellular modem
  • No LoRa or any other long-range radio
  • No GPS receiver
  • No microphone
  • No speaker
  • No camera exposed to the main MCU (the QR scanner's internal sensor is a trust boundary — see below)
  • No external flash or EEPROM beyond the MicroSD cards the user inserts
  • No second general-purpose MCU under the main MCU's control

If a device claims to be this gadget and contains any of the above, it isn't this design.

GPIO pin allocation

Everything inside the RP2350-Touch-LCD-3.5 module is wired by Waveshare; only the QR scanner and the guest SD breakout need pins on the user-accessible header.

BusPinsConnected to
SPI0 (hardware)GPIO 18, 19Onboard LCD (ST7789)
SPI1 (hardware)GPIO 26, 27, 28, 31Onboard MicroSD slot
I2C1GPIO 34 (SDA), 35 (SCL)FT6336U touch, AXP2101 PMIC, PCF85063 RTC
UART1GPIO 4 (TX), 5 (RX)GM861XS QR scanner
SoftSPI (bit-banged)GPIO 3, 6, 32, 33Guest MicroSD breakout

The guest SD bus is software-bitbanged, not a hardware SPI peripheral — it can't collide with the onboard LCD or SD buses. GPIO 34 and 35 are reserved (they're shared with the onboard touch I2C); nothing else may be wired to them.

For the physical layout of the header solder points, see the wiring diagram in the repo.

Wiring diagram

The diagram in assembly/how-to-connect-components.jpg shows every wire between the Waveshare board, the QR scanner, and the guest SD breakout. The battery uses the dedicated JST socket on the Waveshare board (not the GPIO header) and is not in the diagram.

A few rules worth memorising before you solder:

  • The guest SD breakout must be the bare 6-pin 3.3 V passive variant — no regulator, no level shifter, no ICs. The BOM lists the exact SKU.
  • The QR scanner UART runs at 3.3 V TTL, not RS-232. Direct connection to the MCU UART pins, no converter.
  • Battery polarity is not standardised on hobby MX1.25 cables. Check with a multimeter before plugging the battery into the JST socket — reversed polarity will damage the AXP2101 PMIC and brick the board. If the cable doesn't match, swap the wires at the MX1.25 connector.

USB and controls

There are exactly two ways to interact with the gadget:

  • USB-C port (on the Waveshare module) — charging and, in development mode, flashing firmware over mpremote. Plugging in a cable on a powered-down device starts charging but does not boot the firmware; the firmware deliberately shuts back down if it boots from USB power without a button press.
  • PWR button (on the Waveshare module) — short press to power on. Long press (~5 seconds) to force a hardware shutdown if the firmware ever hangs. This is a backstop; an 8-second watchdog reboots normally before you'd need to use it.

There are no other user-facing buttons, no headphone jack, no SIM tray, no SD-card-removable cover. A small recessed RESET pinhole is reachable through the case for development/recovery; in normal use you never touch it. The two MicroSD cards (onboard + guest) are inserted by sliding into their respective slots from outside the case.

Trust boundary on the QR scanner

The GM861XS is closed-source: it runs its own firmware that the device can't audit. The trust assumption is that:

  • It can't exfiltrate anything (no radio, no storage path out).
  • It could, in principle, alter the decoded text before sending it over UART.

The mitigation is that everything the scanner ever decodes is OTP-encrypted ciphertext plus a MAC tag. Tampering with the ciphertext fails authentication on decryption. The scanner has no way to forge a valid MAC — that would require the secret pad bytes it never sees.

Next: Case — printing the enclosure and the checks to do before you commit a long print.

Ask a question

Missing something?

Send a question about this page. Useful questions may become FAQ or troubleshooting entries later.

Pinned to 0e7c8e4 · 2026-06-02