Made For a Lab. Fits in a Pocket. Verifiable by Design.

Precursor is an open hardware development platform for secure, mobile computation and communication. This pocket-sized device accommodates a built-in display, a physical keyboard, and an internal battery while remaining smaller and lighter than the average smartphone. Precursor was built for use on the road, but it compromises nothing as a development platform. Powered by an FPGA-hosted, soft-core System-on-Chip (SoC), it gives developers the freedom to inspect, verify, and customize nearly every aspect of its operation. Help us take those critical first steps toward a world in which silicon-level trustworthiness is attainable.

Trust It. Because You Can, Not Because You Have to.

We are accustomed to accepting the word of large corporations, like Apple and Google, that our gadgets are trustworthy. Without any hard evidence, we’ve long had to take in on faith that our privacy is being respected and that our personal data is not just one backdoor away from being stolen, exploited, or exposed. (We’ll go ahead and leave "monetized" off that list, since we all know that’s happening.) We’ve had to accept this reality in large part because we’ve had no other choice. Precursor changes the status quo by making evidence-based trust a core principle of its design. We have subjected every aspect of this platform to a level of scrutiny that will allow users to trust their devices. You, the user, will be able to trust Precursor based on scientific evidence that is observable without access to a million-dollar microscope.

The principle of evidence-based trust was at work in our decision to implement Precursor’s brain as an SoC on an FPGA, which means you can compile your CPU from design source and verify for yourself that Precursor contains no hidden instructions or other backdoors. Accomplishing the equivalent level of inspection on a piece of hardwired silicon would be…a rather expensive proposition. Precursor’s mainboard was designed for easy inspection as well, and even its LCD and keyboard were chosen specifically because they facilitate verification of proper construction with minimal equipment.

Thanks to this pivotal design principle, Precursor is well-suited as a hardware development framework for security-critical applications such as password managers, authenticators, crypto wallets, and secure messaging platforms.

Carry It. With You When You Need It

Precursor is also distinctive among open hardware gadgets in that it was designed from the ground up for portability. While most open hardware FPGA development boards share Precursor’s evidence-based, compile-your-own-CPU trust properties, none of them are packaged into a slim, 7.2 mm, machined-aluminum case, complete with a charger, a battery, a display, and a keyboard. And speaking of batteries, Precursor draws less power than most other FPGAs thanks to the "-1L" variant Xilinx Spartan 7-Series at its heart. (The "L" stands for "low leakage.") That efficiency — combined with a super-low-power Lattice iCE40 UP5K FPGA for deep-sleep system management and a Silicon Labs WF200 with integrated network co-processor for Wi-Fi connectivity — allows Precursor to achieve a standby time measured in days and an active screen time of about five to six hours.

Precursor gets your bright idea out of the lab and into your pocket. And if that idea happens to involve software for a password manager, a crypto-wallet, a secure messaging platform, or something similar, then Precursor also gets it well on its way toward its destination as a packaged product.

Jailbreak It? Precursor Was Born Free!

The most important difference between a jail and a home is who controls the lock on the door. Most smartphone companies want you to believe that the gilded jail they’ve designed for you is the safest place to spend your time. Precursor takes a different approach. By giving you the keys to the lock, it gives you a home. And, like your actual home, you’re free to make it your own because we’ve published 100% of Precursor’s design source, from the outer case to the inner CPU core. And once you’re done configuring and inspecting your system, you can activate Precursor’s security features to protect your newly redecorated home from unwelcome intruders.

Situating Precursor Within the Device Ecosystem

We are the first to admit that Precursor isn’t for everyone. It’s a new class of development platform, made for security- and privacy-critical applications. We know it’s not going to replace your smartphone today. Rather, we see it as an indicator of good things to come from the open hardware ecosystem.

Toward the lower left, you’ll see some of FPGA development boards that share Precursor’s ability to compile its primary CPU. Such devices are well within the intersection of trustability and hackability, but they are not pocket-ready. (They might fit in your pocket, sure, but they’ll have pretty limited utility when you pull them out. Unless of course you plan on strapping them to a keyboard, a battery, and a display, in which case…why not let us do it for you?)

Toward the upper left, we have a whole category of devices—including FPGA development boards with hardwired internal CPUs capable of running mainline Linux—that will get the job done if all you care about is hackability. But these devices fail the pocket test as well. And, worse yet, they require that you take the vendor at their word about the absence of undocumented backdoors in those hardwired CPUs.

On the top, toward the middle are devices for enthusiasts who desire pocketability and hackability but who don’t have a strong need for evidence-based trust. Products like the Librem 5 and the PinePhone fall into this category.

Toward the upper right, you’ll find the supercomputer-in-your-pocket smartphones of today. Nothing holds a candle to iOS and Android devices if you’re looking for all the power you can get and have no need for hackability or evidence-based trust

And right there in the middle is Precursor, quite possibly the only device around that occupies the intersection of evidence-based trust, pocket-readiness, and hackability.

Comparisons

Precursor is much more than an FPGA development board and much less than a mobile phone. The tables below help to place Precursor within two different continua: one of gadgets and one of FPGA development boards.

Precursor vs. the Gadgets

For each of the Palm, Blackberry, and Nintendo families of gadgets, we’ve picked two devices: one from the generation with slightly less raw computing power than Precursor (such as the Palm m515) and one from the generation with slightly more raw computing power (such as the Palm Treo 600). We’ve also included the Samsung A11 smartphone, just to keep ourselves honest. If we’re willing to set aside evidence-based trust and hackability, today’s proprietary, full-custom, mass-market production techniques can achieve a truly incredible price-to-performance ratio.

Our four main takeaways from the table are as follows:

1. Precursor's FPGA-based CPU, in terms of raw computing power, is comparable to an era from about 15 years ago.
2. Even 15 years ago, we were doing a lot with the gadgets we could make: planning our days on digital calendars, sending and receiving emails and short messages, listening to music, and playing games, to name just a few examples.
3. CPU power aside, peripheral technologies have improved significantly over those same 15 years, giving Precursor advantages such as faster networking stacks, higher display resolutions, and larger data storage capacities.
4. At a $512, Precursor is at the middle-of-the-pack in terms of non-contract pricing for a new mobile-gadget class. Considering the relatively low production volume we anticipate, this is quite remarkable. With a campaign goal equivalent to a production lot size of under 500 units, we can't bargain with manufacturers like the big companies can.

Our hope is that Precursor will continue to appear over the next decade and a half as a benchmark in many tables like this one, as the starting point on a trend towards the performance and capabilities of mobile, open hardware solutions reaching parity with today’s proprietary solutions. In the meantime, we have to start somewhere. And with your help, we believe Precursor will live up to its name as a harbinger of good things to come.

Precursor vs. the Dev Boards

The table below helps to place Precursor’s capabilities in a different sort of context, this time alongside a pair of development boards with similar FPGA logic capacity. There are really only two things that Precursor has in common with these boards: 1) they all use an FPGA for their CPU, and 2) they are all open hardware, with published PCB and CPU design source. As a result, this is a bit of an apples-to-oranges comparison, but it’s the best we could come up with.

What’s in the Box?

The Precursor tier includes the following items in the box:

• One fully assembled and tested Precursor device in an aluminium case, complete with display, bezel, QWERTY keyboard, and battery, and pre-loaded with low-level factory test firmware.
• One "debug board," which is a Raspberry Pi 3B+ or 4 HAT. This used for low-level debugging and reflashing of the Precursor in case you brick it. Raspberry Pi not included.
• Three alternate keyboard overlays: QWERTZ, AZERTY, and Dvorak.
• Press-fit metal shield for trusted domain of the Precursor PCB (to be installed after verification).
• Four grams of EPO-TEK 301 in a bi-pak, for sealing the metal shield Note: the seal is permanent and we can't do any warranty returns/exchanges on sealed devices. Do not apply glue to active connectors.

The Limited Edition Precursor tier includes all of the above, with a special limited edition case. You will also receive the regular production aluminium case body as well, as a bonus spare part.

What exactly is the Limited Edition case? In a fashion similar to ordering omakase at a sushi bar, we’re going to prepare a premium experience for your enjoyment. In the end, however, what you get will be a bit of a surprise!

Features & Specifications

• Made for developers
  • Easy-access developer's cable (included)
  • Low-level debugging (GDB + Chipscope) and firmware flashing via developer's cable plugged into a custom Raspberry Pi HAT (included)
  • Middleware debugging via USB cable via wishbone tunnel
  • Open source to the core
    • Inspect, modify and compile your SoC and embedded controller from source
    • All source files hosted on GitHub for convenient fork, pull request, and issue tracking
    • Open source PCB and case design
  • Extendable and modifiable
    • No adhesives holding the bezels in place – just one screw driver is all it takes
    • Want to add hardware? Maybe a cellular modem? No problem!
      • Battery compartment is a blank check for your peripherals
      • Install a smaller battery for more space
      • Flex PCB breakout for 8x FPGA GPIO into the battery compartment
      • Bezel is made out of FR-4, and can be user-customized to hold additional components
• Slim and light mobile form factor
  • 69 mm x 138 mm x 7.2 mm
  • 96 grams reference weight
  • Compare to iPhone X at 70.9 mm x 143.6 mm x 7.7 mm and 174 grams
  • Accessible mechanical design
    • 6063 alloy aluminum case -– 3D files provided, so you can mill your own case!
    • FR-4 front bezel -– PCB source provided
    • ABS + PC polymer antenna radome -– 3D printable
• User-customizable CPUs
  • Xilinx XC7S50 primary System on Chip (SoC) FPGA
    • -L1 speed grade for longer battery life
    • Tested with 100 MHz VexRISC-V, RV32IMAC + MMU, 4k L1 I/D cache
  • iCE40UP5K secondary Embedded Controller (EC) FPGA
    • Manages power, standby, and charging functions
    • Tested with 18 MHz VexRISC-V, RV32I, no cache
• 16 MB external SRAM
• 128 MB Flash
  • 100 MHz DDR 8-bit wide bus for fast XIP code performance
• Dual hardware TRNG
  • External discrete noise generator
  • In-SoC ring oscillator based TRNG
• Inspectable I/O
  • Physical keyboard with changeable layout overlays
  • 200 ppi black and white LCD (336 x 536 resolution), 100% inspectable with standard optical microscope
  • Both keyboard and LCD are backlit for night-time use
  • Modular keyboard PCB -- customize layouts, add sensors, or swap in a touch surface
• Audio with safe defaults
  • Integrated 0.7 W speaker for notifications
  • Vibration motor
  • 3.5 mm headset jack
  • No integrated microphone -- audio surveillance is not possible when headset is unplugged
• Integrated Wi-Fi
  • Sandboxed in a hardware-delineated untrusted domain
  • Silicon Labs WF200C chipset
• USB Type-C port
  • Supports charging at 5 V; over-voltage protection tolerant to 20 V
  • Power negotiation to 5 V @ 1.5 A (source and sink)
  • Supports legacy USB 2.0 full-speed PHY
  • Basic DRP negotiation hardware support
• 1100 mAh Li-Ion battery
  • Integrated gas gauge for more accurate battery life estimate
  • Full charge in about three hours
  • Runtime depends on user application
    • Approx. 100 hours standby with Wi-Fi + embedded controller + static display enabled
    • Approx. 700 mW "on-state" (most features enabled and active, backlight off) power draw, or 5.5 hours continuous use
• Anti-tamper features
  • User-sealable metal can for trusted components
  • Dedicated real-time clock (RTC) with basic clock integrity monitoring
  • Power monitors trip reset in case of power glitches
  • Always-on accelerometer/gyro to detect movement in standby
  • Support for instant secure erase via battery-backed AES key and self-destruct circuit

"Betrusted-SoC" Reference Design

Part of the purpose of Precursor is to validate the system-on-chip (SoC) design we hope eventually to produce as a custom ASIC for use in future such products. This SoC, which we call "Betrusted-SoC," is meant to be the central pillar of security for devices like Precursor. The version of Betrusted-SoC used in Precursor is based on a Xilinx FPGA and has the following features:

• XC7S50-1L CSG324I, 80% utilized as of October 2020
• 100 MHz customized VexRISC-V RV32IMAC + MMU core with 4k caches
• Crypto primitives
  • Ring oscillator TRNG (compliments off-chip TRNG)
  • JTAG-based self-fusing for on-chip generation and sealing of secret keys
  • AES-128, -192, -256 with ECB, CBC and CTR modes
  • SHA-2 and SHA-512 digests
  • Microcoded Curve25519 field arithmetic engine
• SPI
  • High speed, 100 MHz DDR OPI SPI interface for code ROM
  • Low speed, 20 MHz SDR 1-bit SPI interface to insecure domain
• I²C (100 kHz) for system integration
• Keyboard switch matrix controller with low power standby
• Bidirectional I²S interface for audio
• Custom frame buffer-based LCD interface
• 32-bit async SRAM interface with standby support
• Standard UART
• Full speed USB device
• Hardware Ticktimer
• 12-bit ADC (system voltage monitor)
• GPIO for power management and extension

"Betrusted-EC" Reference Design

In addition to using Precursor to validate the SoC, we are also validating the embedded controller (EC) that’s in charge of standby power functions, as well as firewalling the untrusted hardware domain in devices like Precursor. The version of "Betrusted-EC" used in Precursor is based on a Lattice FPGA and has the following properties:

• iCE40UP5K SG48, 98% utilized
• 18 MHz LiteX VexRISC-V RV32I core (minimal + debug config)
• I²C (100 kHz) via softcore for system integration
• 2x SPI interfaces
  • FIFO buffered peripheral interface to SoC
  • Controller interface to Wi-Fi chipset
• Hardware tick timer
• Standard UART
• GPIO for power control

Support & Documentation

• SoC FPGA source
• SoC FPGA register set
• EC FPGA source
• Mainboard & case designs
• Project wiki
• Low-level reference firmware
• WIP microkernel
• Guided tour of the mainboard
• IRC channel: #betrusted:matrix.org
• More to come soon as the campaign progresses!

Manufacturing Plan

Precursor consists of the following major elements:

• The Mainboard will be manufactured by AQS, an EMS provider, at their South Korea facility. The bare PCB will be produced by King Credie in Guangdong, China. All of the parts on the BOM were selected explicitly for ready availability in distribution channels such as Mouser and Digi-Key. We do anticipate a 12-week lead time on the Xilinx FPGAs, and acquiring them in a timely fashion represents a risk given the current pandemic and the status of the global supply chain.
• The rear case and radome will be manufactured by Jiada, a contract mechanical engineering supplier located in Guangdong, China. Production rear cases will be manufactured on-demand using a CNC milling process and finished with anodization. The radome will be produced using an injection molding tool that will be opened upon successful conclusion of the funding campaign.
• The battery is sourced from a supplier in Guangdong, China. Because of its short shelf life and high MOQ, this does represent a high risk item. We will finalize the battery supplier and UN38.3 certifications that allow for air shipping after the conclusion of the campaign.
• The front bezel is a step-milled, edge-beveled PCB made using a special FR-4 composition impregnated with black dye by King Credie in Guangdong, China. The front bezel also incorporates the Wi-Fi antenna.
• The LCD is sourced from Sharp Microelectronics. Due to its highly critical nature and long lead time, we have gone ahead with a risk buy to ensure its availability for the campaign. If the campaign greatly exceeds volume expectations, we may have to take a staged approach to delivery as LCD shipments become available.
• The backlight assembly was pre-manufactured to match the LCD.
• The keyboard overlay is a full-custom, UV-cured, polycarbonate assembly with silkscreen printing, all done via AQS in Dongguan, China.
• The keyboard PCB is a semi-custom "transparent" substrate, manufactured by King Credie in Dongguan, China.
• The button array is sourced from AQS in Dongguan, China.
• Final assembly will be done at AQS in South Korea.

Once the campaign has concluded and we know our final volume, we will begin manufacturing according to the following time line:

• January 2021 – Place orders
• February 2021 – It will be Chinese New Year, and factories will be shut down. We will use this time to develop the factory test for Precursor
• March 2021* – FCC and CE testing of final production prototypes. The question of if and when we can carry out such testing will be heavily impacted by pandemic travel restrictions which represent a significant risk to the project.
• March-June 2021 – Roughly 16 weeks lead time for all components to arrive at the South Korea facility.
• July-August 2021 – Pilot production of initial units in the South Korea facility. Timing and pace of production will depend heavily on our ability to travel to the facility to oversee production bring-up. If travel is not possible due to pandemic restrictions, we may suffer a 1-2 month delay as we mail samples back and forth from the factory to our engineering HQ in Singapore.
• September-October 2021 – Shipment of units to the USA.
• November-December 2021 – First shipments of units to backers. We anticipate that Limited Edition units will take up to 2-3 additional months to arrive, depending upon the nature of the manufacturing processes required to produce them.

Fulfillment & Logistics

We will be relying on Mouser Electronics, Crowd Supply’s fulfillment partner, to handle the global shipment of devices to backers. For more information about shipping, please see Crowd Supply’s Ordering, Paying, and Shipping guide and the International shipping section of their Fulfillment & Logistics guide.

Risks & Challenges

The biggest risk hanging over this project is the uncertainty brought about by the COVID-19 pandemic. Previously, a visit to a facility would almost be a day trip from Singapore; currently, such visits may be possible but only with several days of quarantine, health documentation, and other red tape such as invitation letters and strict itineraries. The strict itineraries are particularly difficult in the face of tasks like compliance testing and factory bring-up, as it is very hard to predict how long these take. That said, all of the countries involved in the Precursor supply chain have taken steps — rooted in science — to manage the pandemic, and their populations have generally complied with mask mandates. This significantly reduces risks and increases the likelihood that we will be able to deliver Precursor on time. At the moment, all suppliers are indicating "normal" lead times for components. If there is another global infection wave, however, it could add months to the delivery schedule.

Political uncertainty in the United States is also a significant risk to Precursor. The outcome of the 2020 election, and whether that outcome is accepted peacefully by all parties, will have a huge impact on global supply chains, as well as trade tariffs and diplomatic relations. It could also have a significant impact on the legality of end-to-end encryption technology. Precursor’s South Korean country of origin currently allows it tariff-free import to the US. It is, however, conceivable that the US will radically change its policies within the next year, thereby making it difficult or impossible to import Precursor into the US.

Precursor is an offshoot of the Betrusted project, which aims to make a complete hardware and software solution for secure and private communications. Our team would like to acknowledge partial funding for development of Precursor from the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet program.