KalkMate — Hardware & Advanced IoT Firmware

With the transition to PCB revision v4, the KalkMate project evolved into a mature, highly secure IoT product, optimized for school and exam environments. The massive performance leap in hardware paved the way for implementing advanced software techniques rarely seen in amateur engineering projects.

Hardware Architecture The new "brain" of the device is the robust ESP32-S3-WROOM-1-N16R8 module, featuring a dual-core Xtensa LX7 processor (240 MHz), a massive 16 MB of Flash memory (Quad-SPI), and 8 MB of operational PSRAM (Octal-SPI).

{graph TD A[ESP32-S3-WROOM] -->|SPI Interface| B(OLED SSD1322) A -->|I2C Bus| C(MCP23017 Expander) A -->|8-bit parallel| D(OV2640 Camera) C --> E[27-key Membrane Keyboard] F[LiPo Power + MT3608 14.5V] --> A} Memory Structure & Firmware Architecture The firmware was built modularly using PlatformIO (Arduino ESP32 Core + FreeRTOS). The microcontroller utilizes advanced partition management:

Dual Boot OTA (app0, app1): Two independent factory partitions (6.25 MB each). Updates are downloaded "in the background" and feature an automatic rollback if the new version triggers a kernel panic during boot. NVS (Non-Volatile Storage): Isolated memory blocks securely storing WiFi credentials (WPA2/WPA3), license keys, and the AI history cache. SPIFFS File System: Used for local caching of student notes and test sheets synchronized with the cloud. Cybersecurity, Isolation & "Panic Key" Because KalkMate operates in strict educational environments, we implemented uncompromising security measures.

Signed OTA (Malware Protection): Every Over-The-Air firmware update is cryptographically protected. Before any code is committed to Flash memory, the device verifies the downloaded digital signature (DER format) using an embedded ECDSA P-256 public key and the mbedtls library. Unauthorized or tampered server payloads are instantly rejected. API Key Obfuscation (Compile-time XOR): The secret communication key is never stored in plain text. During compilation, the key is XOR-masked with a random 16-byte array. Decryption happens purely in RAM for only a fraction of a second before network transmission, 100% negating extraction via strings commands on the firmware.bin file. System Panic Key: The calculator features a programmable escape key (mapped inside the NVS partition) which triggers an interrupt, entirely hiding the AI capabilities and immediately reverting the UI to a standard office calculator. Hardware Camera Isolation: The mainboard strictly controls the OV2640 camera via the PWDN pin on the I2C expander. Right after a photo is captured, the camera is physically deprived of operational power, eliminating any possibility of remote eavesdropping or background monitoring. Networking & Power Efficiency The device connects to the Next.js infrastructure using the secure HTTPS (TLS 1.2/1.3) protocol. Requests are properly authenticated using custom headers (x-device-id, x-license-key). The image captured by the camera (protected against server-side DoS attacks with an 8MB cap) is ultimately routed to the Google Gemini 2.5 Pro computational cloud, returning a clear, step-by-step solution to the student's OLED screen.

{// Active reduction of the WiFi Radio TX Power Limit to 11 dBm (~12.5 mW). // Goal: Minimize peak battery voltage drops under heavy load // and keep RF emissions far below the European 100 mW limit. WiFi.setTxPower(WIFI_POWER_11dBm); }