The world's first native C implementation of the SimpleX Messaging Protocol.
Encrypted communication and IoT on dedicated hardware. No smartphone, no cloud, no compromises.
SimpleGo is an open-source platform for encrypted communication and secure data transmission on dedicated microcontroller hardware. It combines private messaging with IoT sensor monitoring and remote device control in a single, auditable firmware stack.
Sensitive data belongs on hardware you control, transmitted through channels nobody else can read. Whether that data is a text message, a temperature reading from a medical sensor, or a command to a remote access system.
Built entirely in C. Runs on affordable off-the-shelf hardware. Operates its own relay infrastructure. Small enough to audit.
Every message passes through five independent cryptographic layers before it leaves the device.
| Layer | Algorithm | What it protects against |
|---|---|---|
| End-to-End | X3DH (X448) + Double Ratchet + AES-256-GCM | Interception. Every message has its own key. Perfect forward secrecy + post-compromise security. |
| Post-Quantum | sntrup761 KEM hybrid with X448 | Future quantum computers. Key exchange is quantum-resistant from the first message. |
| Per-Queue | X25519 + XSalsa20 + Poly1305 | Traffic correlation between message queues. Knowledge of Queue A reveals nothing about Queue B. |
| Server-to-Recipient | NaCl cryptobox (X25519) | Correlation of incoming and outgoing server traffic, even with full server access. |
| Transport | TLS 1.3 (mbedTLS) | Network-level attackers. No downgrade possible. Server identity verified via SHA-256 key hash pinning. |
All messages are padded to a fixed 16 KB block size at every layer. A network observer sees only equal-sized packets.
Private Messaging - Turn on the device, connect to WiFi, scan a QR code, start chatting. No accounts, no phone numbers, no usernames. Your keys never leave your device.
Medical and Health Monitoring - Transmit patient data and sensor readings in compliance with data protection regulations. End-to-end encryption ensures sensitive health information cannot be intercepted during transmission.
Industrial Sensor Networks - Collect and transmit data from environmental sensors, production equipment, or infrastructure monitoring. Encrypted channels prevent data manipulation and protect operational intelligence. Relevant for water treatment, energy infrastructure, manufacturing, and SCADA environments.
Building Security and Access Control - Manage door locks, alarm systems, and surveillance through encrypted channels. Commands and sensor states cannot be intercepted or spoofed.
Emergency Communication - Communicate over WiFi and local networks without centralized infrastructure. Planned LoRa support will extend this to long-range off-grid scenarios.
Agriculture and Environmental Monitoring - Transmit soil moisture, weather data, and irrigation commands across remote locations. Protect operational data from competitors and unauthorized access.
Fleet and Asset Tracking - Monitor location, temperature, and status of sensitive shipments. Prevent third parties from building movement profiles.
Journalism and Human Rights - Deploy sensors or communication relays in regions where monitoring is dangerous. Anonymized data transmission protects both source and operator.
Flash SimpleGo directly from your browser. No tools, no command line, no drivers (on most systems).
- Open simplego.dev/installer in Chrome 89+ or Edge 89+
- Choose Open Mode (development) or Vault Mode (hardware-secured)
- Connect your T-Deck Plus via USB-C
- Click Install Firmware
The web installer downloads the correct merged binary, erases the flash, writes the firmware at 921,600 baud, and reboots the device. Total time: approximately 60-90 seconds.
| Item | Details |
|---|---|
| LilyGo T-Deck Plus | Available for $50-70 from lilygo.cc or AliExpress |
| MicroSD card | Any size, formatted as FAT32. Required for encrypted chat history storage. |
| USB-C cable | For flashing and serial monitoring |
| ESP-IDF 5.5.2 | Espressif IoT Development Framework (download) |
1. Install ESP-IDF
Download and run the ESP-IDF Offline Installer for version 5.5.2. After installation, open "ESP-IDF 5.5 PowerShell" from the Start menu. All following commands are entered there.
2. Clone the repository
cd C:\Espressif\projects
git clone https://github.com/saschadaemgen/SimpleGo.git
cd SimpleGo3. Apply mbedTLS patches
SimpleX relay servers use ED25519 certificates which ESP-IDF's mbedTLS does not support natively. These patches are required for the TLS connection to work. See patches/README.md for details.
.\patches\apply_patches.ps14. Build
The default build includes NVS encryption and eFuse auto-provisioning. For development, use the Open overlay:
# Default build (production-ready, NVS encryption enabled)
idf.py build
# Open Mode (development, no NVS encryption, unlimited reflash)
idf.py -DSDKCONFIG_DEFAULTS="sdkconfig.defaults;sdkconfig.defaults.open" build
# Vault Mode (hardware-secured, HMAC eFuse protection)
idf.py -DSDKCONFIG_DEFAULTS="sdkconfig.defaults;sdkconfig.defaults.vault" build5. Flash
Connect the T-Deck Plus via USB-C. Check which COM port it uses in the Device Manager.
idf.py flash monitor -p COM6Replace COM6 with your actual port.
6. First boot
The device shows a WiFi setup screen. Select your network and enter the password using the keyboard. After connecting, the main screen appears. Insert a FAT32-formatted MicroSD card for encrypted message storage.
1. Install ESP-IDF
sudo apt update && sudo apt install -y git wget flex bison gperf python3 python3-pip python3-venv cmake ninja-build ccache libffi-dev libssl-dev dfu-util libusb-1.0-0
mkdir -p ~/esp && cd ~/esp
git clone -b v5.5.2 --recursive https://github.com/espressif/esp-idf.git
cd esp-idf
./install.sh esp32s3
source export.shNote: You need to run source ~/esp/esp-idf/export.sh in every new terminal session.
2. Clone the repository
cd ~
git clone https://github.com/saschadaemgen/SimpleGo.git
cd SimpleGo3. Apply mbedTLS patches
chmod +x patches/apply_patches.sh
./patches/apply_patches.sh4. Build
# Default build (production-ready)
idf.py build
# Open Mode (development)
idf.py -DSDKCONFIG_DEFAULTS="sdkconfig.defaults;sdkconfig.defaults.open" build
# Vault Mode (hardware-secured)
idf.py -DSDKCONFIG_DEFAULTS="sdkconfig.defaults;sdkconfig.defaults.vault" build5. Set serial port permissions
sudo usermod -a -G dialout $USERLog out and log back in for this to take effect.
6. Flash
Connect the T-Deck Plus via USB-C. Find the port:
ls /dev/ttyACM* /dev/ttyUSB*Flash and monitor:
idf.py flash monitor -p /dev/ttyACM0Replace /dev/ttyACM0 with your actual port.
7. First boot
The device shows a WiFi setup screen. Select your network and enter the password using the keyboard. After connecting, the main screen appears. Insert a FAT32-formatted MicroSD card for encrypted message storage.
To create merged binary images for distribution or the web installer:
# Build first (any mode), then merge with correct app offset 0x110000:
python -m esptool --chip esp32s3 merge_bin \
-o simplego-tdeck-plus-v0.2.0-beta-open.bin \
--flash_mode dio --flash_freq 80m --flash_size 16MB \
0x0 build/bootloader/bootloader.bin \
0x8000 build/partition_table/partition-table.bin \
0x110000 build/simplex_client.binThe app offset is 0x110000 (not 0x10000). This is determined by the custom partition table. Verify with cat build/flash_args.
SimpleGo supports three security configurations using ESP32-S3 hardware security features. The base configuration (sdkconfig.defaults) already includes NVS encryption and eFuse auto-provisioning. The Open and Vault configs are overlays that modify these settings.
| Mode | What it does |
|---|---|
| Default | Full build with NVS encryption and eFuse auto-provisioning enabled. Production-ready security out of the box. |
| Open | Disables NVS encryption and eFuse auto-provisioning. For development and debugging where you need unlimited reflash and NVS access. |
| Vault | NVS encryption with HMAC-based eFuse key protection (BLOCK_KEY1). The strongest hardware-backed configuration. |
| Feature | Default | Open | Vault |
|---|---|---|---|
| Encrypted messaging (5 layers) | Yes | Yes | Yes |
| SD card encryption (AES-256-GCM) | Yes | Yes | Yes |
| Post-quantum key exchange (sntrup761) | Yes | Yes | Yes |
| NVS encryption | Yes | No | Yes (HMAC) |
| eFuse auto-provisioning | Yes | No | Yes |
| Reflash | Unlimited | Unlimited | Limited |
| Estimated physical attack cost | ~$15 | ~$15 | ~$30,000+ |
Warning: Vault mode permanently burns eFuse fuses on the ESP32-S3. This is irreversible. A wrong configuration will brick the device. Read the full documentation at wiki.simplego.dev/security before using Vault mode.
SimpleGo ships with 21 preset SMP relay servers from three operators:
| Operator | Servers | Purpose |
|---|---|---|
| SimpleX Chat | 14 | Global relay network |
| Flux | 6 | Decentralized hosting |
| SimpleGo | 1 | Project relay at smp.simplego.dev |
Single active server model with radio-button selection. Server switching triggers live Queue Rotation - contacts are migrated to the new server without disconnection or message loss. No reboot required.
Server identity is verified via SHA-256 key hash pinning at four TLS connection points (SEC-07).
SimpleGo is built around a Hardware Abstraction Layer. The entire protocol stack and application logic are device-independent. Adding a new platform means implementing five interface files. Everything above the HAL comes for free.
Current platform:
| Device | LilyGo T-Deck Plus |
| MCU | ESP32-S3, dual-core 240 MHz, 8 MB PSRAM |
| Display | 320x240 LCD with touch |
| Input | Physical QWERTY keyboard, trackball |
| Connectivity | WiFi 802.11 b/g/n, WPA3 |
| Storage | MicroSD (AES-256-GCM encrypted) |
Custom PCB designs with triple-vendor hardware secure elements (Microchip ATECC608B + Infineon OPTIGA Trust M + NXP SE050), LoRa connectivity, physical kill switches, and optional LTE are in development for professional and industrial deployments.
+---------------------------------------------------------------+
| APPLICATION LAYER |
| Messaging / IoT Sensors / Remote Control |
+---------------------------------------------------------------+
| PROTOCOL LAYER |
| 5-Layer Encryption / Key Management / Data Channels |
+---------------------------------------------------------------+
| HARDWARE ABSTRACTION LAYER |
| hal_display / hal_input / hal_network / hal_storage |
+---------------+---------------+---------------+---------------+
| T-Deck Plus | T-Deck Pro | Custom PCB | Desktop |
| ESP32-S3 | ESP32-S3 | STM32 + SE | SDL2 Test |
+---------------+---------------+---------------+---------------+
SimpleGo/
+-- main/
| +-- core/ # FreeRTOS task architecture, frame pool
| +-- crypto/ # X448, AES-256-GCM, NaCl, sntrup761 PQ-KEM
| +-- include/ # Shared header files
| +-- net/ # TLS 1.3 transport, WiFi manager
| +-- protocol/ # SMP protocol, Double Ratchet, handshake
| +-- state/ # Contact management, history, peer connections,
| | # queue rotation, server management
| +-- ui/ # LVGL screens, themes, custom fonts
| +-- util/ # Shared utilities
+-- devices/
| +-- t_deck_plus/ # LilyGo T-Deck Plus HAL implementation
| +-- template/ # Template for new device ports
+-- components/ # sntrup761, zstd, wolfssl_config
+-- patches/ # mbedTLS ED25519 compatibility patches
+-- docs/ # Protocol analysis, architecture documentation
+-- wiki/ # Docusaurus wiki source (wiki.simplego.dev)
+-- ost/ # SimpleGo Original Soundtrack (5 tracks)
Beta software under active development. Core messaging is functional and tested with multiple simultaneous contacts across devices. Queue Rotation verified with four consecutive server migrations.
| Component | Status |
|---|---|
| Encrypted messaging (5-layer) | Working |
| Post-quantum key exchange (sntrup761) | Working |
| Double Ratchet with X448 | Working |
| Multi-contact management (128 slots) | Working |
| Delivery receipts (two checkmarks) | Working |
| Multi-server infrastructure (21 presets) | Working |
| Queue Rotation (live server migration) | Working |
| WiFi manager (multi-network, WPA3) | Working |
| Encrypted SD card storage (AES-256-GCM) | Working |
| Screen lock (configurable timeout) | Working |
| NVS encryption (eFuse HMAC, Vault mode) | Working |
| TLS fingerprint verification (SEC-07) | Working |
| Cross-platform build (Windows + Linux) | Working |
| Web Serial Installer | Working |
| IoT sensor channels | Design phase |
| Remote device control | Design phase |
| LoRa connectivity | Planned |
| Desktop terminal (10" touchscreen) | Planned |
| Resource | Link |
|---|---|
| Full documentation | wiki.simplego.dev |
| Architecture and security model | wiki.simplego.dev/architecture |
| Hardware specifications | wiki.simplego.dev/hardware |
| Web Serial Installer | simplego.dev/installer |
| mbedTLS patch documentation | patches/README.md |
| Coding rules | CODING_RULES.md |
| Contributing guidelines | CONTRIBUTING.md |
| Protocol analysis journal | docs/protocol-analysis/ |
Security vulnerabilities should be reported privately via GitHub's vulnerability reporting feature.
| Component | License |
|---|---|
| Software | AGPL-3.0 |
| Hardware designs | CERN-OHL-W-2.0 |
Espressif (ESP-IDF and ESP32 platform) - LVGL (embedded graphics) - mbedTLS (TLS and cryptography) - wolfSSL (X448 key agreement) - libsodium (NaCl cryptographic operations) - PQClean (sntrup761 post-quantum cryptography)
SimpleGo is an independent open-source project by IT and More Systems, Recklinghausen, Germany.
SimpleGo uses the open-source SimpleX Messaging Protocol (AGPL-3.0) for interoperable message delivery.
It is not affiliated with or endorsed by any third party. See docs/DISCLAIMER.md for full legal notices.
SimpleGo - Encrypted communication and IoT on dedicated hardware.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}