01

Buttons

ButtonDescription
▲ TopNavigate up / increment digit
▼ BottomNavigate down / next digit
RSTHardware reboot — same as power cycling the device
02

First Boot

Step 1 — Create PIN

On first power-on the device prompts you to create a PIN code. This PIN encrypts the master device key — it is required on every startup.

Step 2 — Connect to WiFi

After PIN creation the device starts an Access Point. Connect to it from your phone or computer. A captive portal opens automatically — select your WiFi network and enter the password. The device reboots after saving.

Note WiFi can also be configured later through the web cabinet in AP mode, before the automatic WiFi setup runs.

Step 3 — Web cabinet starts automatically

On first boot after WiFi setup, the web server starts automatically. Enter the device IP or mDNS address in your browser to complete registration.

03

Operating Modes

After entering the PIN on every boot, the device shows a mode selection prompt. Two buttons appear on screen — they represent the two non-default network modes. The third mode (your configured default) starts automatically after a 2-second timeout if no button is pressed.

The default mode on timeout is configurable in Settings → Boot Mode. Factory default is WiFi Client. Each button press resets the timeout by 2 seconds.

AP Mode
Press ▲ Top
  • Passwords
  • HOTP codes
  • Web cabinet
  • HID transfer (BLE / USB on S3)
  • TOTP (DS3231 required)
Offline Mode
Press ▼ Bottom
  • Passwords
  • HOTP codes
  • HID transfer (BLE / USB on S3)
  • TOTP (DS3231 required)
  • Web cabinet
WiFi Mode
No button — auto
  • Passwords
  • HOTP codes
  • TOTP codes
  • Web cabinet (opt.)
  • HID transfer (BLE / USB on S3, no web server)

WiFi Mode — Web Server

After connecting to WiFi and syncing time via NTP, the device asks: enable web server?

StateAvailable
Web server OFFTOTP, HOTP, passwords, HID transfer (BLE / USB on S3)
Web server ONTOTP, HOTP, passwords, web cabinet — HID transfer disabled
05

HID Password Transfer

The device acts as a hardware keyboard and types the selected password directly — no app required on the receiving device.

T-Display ESP32 (classic): BLE HID only.
T-Display-S3: BLE HID or USB HID. When both buttons are held, a prompt appears on screen to select the output mode. The device pre-selects the configured default — wait for the auto-selection timer, or press a button to switch before transmission begins. USB HID requires no pairing or drivers.

ModeBLE Available
Offline✓ Yes
AP✓ Yes
WiFi — web server OFF✓ Yes
WiFi — web server ON✗ No
T-Display-S3 — USB HID USB HID is available under the same conditions as BLE HID. The HID output prompt (BLE or USB) appears after holding both buttons. Default mode is configurable in Settings → HID Mode.

First Connection (Bonding)

  1. In the password manager screen, hold both buttons
  2. A PIN code appears on the device display
  3. On your phone, select the device in Bluetooth settings and enter that PIN
  4. Bonding is saved — next time no PIN is needed

Sending a Password

  1. Navigate to the desired password using /
  2. The password is transmitted to the phone as keyboard input
  3. Press ▲ Top to exit BLE and return to passwords
Note If a hardware BLE PIN is configured, the device will ask you to confirm it on-screen before transmitting.
06

Factory Reset

  1. Press RST
  2. Immediately after reboot — hold both buttons simultaneously
Warning Factory reset permanently deletes all TOTP/HOTP keys, passwords, WiFi credentials, sessions, and PIN. Export your data before resetting if you need to restore it.
07

Web Cabinet — Access & Login

How to Open

Open the device IP address in your browser, or use the mDNS address: http://t-disp-totp.local (hostname configurable in Settings).

In AP mode a captive portal opens automatically when you connect to the device's WiFi network.

Registration

On first access the device redirects to the registration page. Create a username and password, then log in with the same credentials.

Known Bug The registration or login page may appear blank on first load. Refresh the page and it will display correctly.
Login Attempts Multiple failed login attempts will lock access until the device is rebooted.
07b

Widget Bar

The widget bar is a thin strip at the top of the web cabinet interface. It contains two elements on opposite sides.

ElementLocationDescription
🔋 BatteryLeft sideShows current battery charge level (device must have a 3.7V LiPo battery connected). Displays percentage and voltage. While charging, an animated icon is shown.
🌐 LanguageRight sideFlag icon with a dropdown — switch the web cabinet interface language. Available languages: English, Russian, German, Chinese, Spanish. Selection is saved in the browser and persists across sessions.
Language Switcher Changing the language updates all labels, buttons, and notifications instantly — no page reload required. The setting is stored per browser, not on the device.
08

Keys — TOTP & HOTP

Adding a Key

Enter a name and the secret key. Default settings: TOTP, SHA1, 6 digits, 30 second interval.

Click Additional Settings to change:

ParameterOptions
TypeTOTP, HOTP
AlgorithmSHA1, SHA256, SHA512
Code length6 or 8 digits
TOTP interval30 or 60 seconds

You can also add a key by uploading a screenshot of its QR code.

Key Actions

ActionResult
Tap the codeCopy code to clipboard
QR buttonDisplay QR code on device screen for 30 seconds — scan to export to another authenticator app
Next (HOTP only)Advance counter and generate next code
DeleteRemove key permanently
Scanning the QR The device screen is small. Enable your phone's flashlight and zoom in for a cleaner scan.

Export & Import

  1. Click Activate Export and enter your web cabinet password
  2. Select the keys to export and click Export — a .enc file downloads
  3. To import: activate export again, click Import, upload the .enc file

The .enc file can also be opened in decrypt_export.html (project root) — an offline editor for viewing, decrypting, and editing keys on your computer.

09

Passwords

Adding a Password

Enter a name and password. Use the generator icon to create one:

ControlFunction
SliderPassword length: 1 – 64 characters
RegenerateGenerate a new random password
SaveCopy generated password into the input field

Click Save Password to add it to the list.

Password Categories

Each password can be assigned a category to organise your vault. A category badge appears above the password name in the list.

CategoryUse for
📋 NoneUncategorised (default)
🌐 WebWebsite logins
📱 AppMobile or desktop applications
🖥 LocalLocal system / device credentials
🔑 Key / TokenAPI keys, tokens, secrets

To assign a category:

  • Quick change: click the category badge directly on a password row — a small popup appears, select a new category, it saves immediately.
  • Edit modal: open Edit for any password — the category selector appears above the strength indicator. Change and click Save.
  • Add form: select a category before clicking Add Password.

Use the category filter bar above the password table to show only entries from a selected category. Click 📋 All to show everything.

Auto-Send (Enter)

When enabled, the device automatically presses Enter after typing the password via BLE or USB HID keyboard. Useful for login forms where the password field is the last input. Enable only when the target application expects Enter to submit — in other contexts it may trigger unintended actions.

The badge ENT appears on the device screen when a password has Auto-Send enabled.

Password Actions

ButtonAction
CopySecurely fetch password from device and copy to clipboard
EditOpen edit form — change name or password and save
RemoveDelete password permanently

Password Security Badges

While browsing passwords on the device screen, a row of security indicators is shown below the masked password. Badges appear only when relevant — a clean screen means no issues detected.

BadgeMeaning
🔒🔒🔒 LocksPassword strength: 1 lock (red) = weak, 2 locks (yellow) = medium, 3 locks (yellow) = strong. Based on length and character diversity.
🌐 📱 🖥 🔑Category badge — shown above the password name. Click to change category inline.
DUPAnother entry in the vault has an identical password. Detected without decrypting other entries.
PINPassword consists entirely of digits — significantly reduced entropy regardless of length.
NAMEPassword contains the entry name (or part of it) as a substring, case-insensitive.
Migration Entries created before this feature was added are migrated automatically on first boot — no action required.

Export & Import

Works identically to key export — activate, enter password, download .enc file. Compatible with decrypt_export.html.

10

Display Settings

SettingOptions
ThemeLight, Dark
TimezoneUsed for the clock widget shown on device screen
Splash screenImage shown on boot: SecureGen (original), Blade Runner 2044, Combs
Auto-dimTime until the display brightness drops to 20%. Useful for saving battery while keeping the screen on. Must be shorter than Screen timeout. Set to Never to disable.
Screen timeoutTime until the display turns off and the device enters low-power pseudo-sleep (CPU slowed to 40 MHz, TFT controller suspended). Press either button to wake — no PIN required. Set to Never to keep the screen on indefinitely.
Auto LockTime after which the device enters deep sleep and wipes all sensitive data from RAM. Requires PIN on wake. Counted from last activity — starts after the device enters pseudo-sleep when screen timeout is enabled, or directly from last button press when screen timeout is Never. Must be longer than screen timeout when both are non-zero. Set to Never to disable. Wake from deep sleep: press ▼ Bottom.
Screen OrientationNormal (landscape) — default, USB port on the right. Flipped (180°) — rotates the display 180°. Button mappings are automatically swapped when flipped. Change takes effect immediately — no restart required. Available on both T-Display ESP32 and T-Display-S3.
DS3231 RTC ModuleExternal hardware clock. When enabled, the device keeps accurate time without WiFi. Required for TOTP in AP and Offline modes. Configure I2C pins (default SDA=21, SCL=22) and press Sync & Save to set time from browser clock.
Screen & Lock Settings Screen timeout and Auto Lock are configured together in one block with a single Save Settings button. Both can be set independently — either or both can be set to Never. If Auto Lock is set shorter than or equal to screen timeout, the value is automatically adjusted upward in the UI.
Screen TimeoutAuto LockBehaviour
30 seconds5 minutesScreen off after 30 s → deep sleep after 5 min of no activity
Never5 minutesScreen stays on → deep sleep after 5 min of no button press
30 secondsNeverScreen off after 30 s → stays in pseudo-sleep indefinitely, wake on button
NeverNeverScreen always on, no automatic sleep or lock
11

PIN Settings

Device PIN (Startup Encryption)

Controls the PIN requested on every boot. This PIN encrypts the master device key — all stored data depends on it. Enabled by default, created on first boot.

StateEffect
EnabledPIN required on startup. Master key encrypted on disk.
DisabledNo PIN on startup. Master key stored unencrypted — if the device is stolen, data can be extracted.
Important Once disabled, the master key cannot be re-encrypted without a Factory Reset. A reset requires re-importing all keys and passwords from backups.

BLE Hardware Confirmation PIN

An additional PIN prompted on the device itself before any BLE password transfer. Prevents unauthorized transfers if someone else has access to the device.

Duress PIN

A separate emergency PIN that triggers an immediate, silent wipe of all device data when entered during startup instead of the normal PIN.

PropertyDetail
LengthMust match the Startup PIN length (4–10 digits). Configured automatically.
ValueMust differ from your normal Startup PIN.
BehaviourDevice displays PIN OK — indistinguishable from normal unlock — then silently erases all data and restarts.
StorageStored as a separate PBKDF2-HMAC-SHA256 hash. Never stored in plaintext.
Board supportBoth T-Display ESP32 and T-Display-S3.

What is erased

When the Duress PIN is entered, the following is permanently destroyed before restart:

  • All TOTP / HOTP keys
  • All passwords
  • Device master key (/device.key)
  • WiFi credentials
  • BLE bonding data (NVS partition)
  • All sessions, web admin credentials, PIN configuration
  • The Duress PIN hash itself
  • The entire filesystem partition (~3.9 MB) — erased at the hardware level via esp_partition_erase_range, making file recovery impossible even with direct flash access

How to enable

In the web cabinet, open the Pin tab and scroll to the Duress PIN section. Toggle the switch on, enter and confirm the PIN, then click Save Duress PIN. To disable, toggle the switch off — the hash file is removed from the device.

⚠ Warning — irreversible
There is no confirmation prompt. Entry of the Duress PIN immediately and permanently destroys all data. Use only in situations where device compromise is imminent and you must prevent data extraction.

Hidden Space

Hidden Space is a second independent encrypted vault. At boot, entering an alternate PIN loads a completely separate set of keys, passwords, and web cabinet account. The device behaves identically from the outside regardless of which space is active.

How it works

The device key file holds two independent encrypted slots. Each slot is protected by its own PIN and salt. The slot that successfully decrypts determines which space loads — the other slot is never touched during that session.

Hidden Space requires startup PIN to be active. If startup PIN is disabled, Hidden Space is automatically wiped — PIN entry is the only mechanism for space selection.

Step 1 — Enable Hidden Space

Open the web cabinet from Space A → Settings → Hidden Space → enable the toggle → confirm. The device restarts.

Step 2 — Set a Space B PIN

On the next boot you are prompted for your main PIN first (Space A unlock), then a new PIN for Space B. The two PINs must be different. After setup the device restarts again and boots normally into Space A.

Entering Space B

At the PIN entry screen, enter the Space B PIN instead of the Space A PIN. The device loads the hidden vault — isolated TOTP keys, passwords, and a fresh web cabinet registration.

Data / SettingSpace ASpace BShared
TOTP / HOTP keys✅ own✅ own
Passwords✅ own✅ own
Web cabinet account✅ own✅ own
WiFi credentials✅ own✅ own (or shared)optional
BLE PIN✅ own✅ own
Display theme
BLE device name
RTC / time sync

WiFi sharing

By default Space B has no WiFi credentials. In Settings → Hidden Space (Space A context), enable Share WiFi with hidden space to let Space B use Space A's WiFi on its first boot. Credentials are re-encrypted with a chip-derived key — neither space can read the other's device key.

Disabling Hidden Space

From Space B: Settings → Hidden Space → disable toggle → confirm. This wipes slot B and deletes all Space B files. Space A data is not affected.

Wipe is permanent and cannot be undone. All Space B keys, passwords, and credentials are destroyed.

Factory reset and Hidden Space

Factory reset is only available from Space A. A full factory reset wipes both spaces by formatting the filesystem entirely. Factory reset from Space B is blocked.

First boot into Space B

Space B starts empty — no keys, no passwords, no web cabinet account. Register a new web cabinet account on first access. If WiFi sharing is not enabled, configure WiFi credentials in the web cabinet as well.

12

Settings

Change Web Cabinet Password

Requirements: minimum 8 characters, uppercase letter, lowercase letter, number, special character (!@#$%).

Change AP Password

Password for the device's own WiFi access point.

WiFi Network

Change the WiFi network credentials the device connects to in WiFi Client mode. Enter the network SSID (use the Scan button to find available networks), password, and confirm password, then click Save WiFi Credentials.

Note Changes take effect after reboot. The current connection is not interrupted.

Bluetooth

BLE device name — maximum 15 characters. This is the name visible when pairing.

mDNS

Hostname for local network access. After saving, the device is reachable at http://<hostname>.local.

Startup Mode

Default screen on boot: TOTP/HOTP view or password manager.

HID Mode

T-Display-S3 only. Default output mode when sending passwords via hardware keyboard emulation: BLE HID or USB HID. This is the pre-selected option shown in the HID prompt — the other mode remains selectable before transmission begins. Factory default: BLE HID.

Boot Mode

Default network mode on boot: WiFi Client, AP Mode, or Offline. The selected mode becomes the timeout default during the boot prompt — the other two modes remain selectable via buttons. Changes take effect on next reboot. Factory default: WiFi Client.

Web Server Auto-Shutdown

Automatically stops the web server after inactivity: 5 min, 10 min, 1 hour, or never.

Auto-Logout Timer

OptionBehaviour
Until rebootSession ends on every device reboot — fresh login required
1 hour / 6 hours / 24 hours / 3 daysSession persists across reboots for the selected duration
Note — Time synchronization required for persistent sessions
Timed modes (1 hour – 3 days) require synchronized system time to validate session age across reboots. Time is synchronized automatically via NTP in WiFi mode, or manually via DS3231 RTC in AP/Offline modes (Display Settings → DS3231 RTC → Sync & Save).
In AP mode without RTC, timed modes automatically fall back to until-reboot behavior — sessions remain valid for the current boot only, subject to the 15-minute inactivity timeout.

Device Controls

ButtonAction
RebootRestart the device
Reboot with web serverRestart and automatically enable the web server on next boot
Clear BLE clientsRemove all saved Bluetooth bondings
LogoutEnd current web cabinet session