Engineering Record | Pisces Moon OS — ESP32-S3 Reference Architecture

Abstract

Pisces Moon OS v1.2.0 ships a four-radio multi-app handheld operating system — preemptive multitasking, persistent dual-core background intelligence collection, runtime-loadable application modules, real-time SD logging, FAT32 file management — on a $50 microcontroller with 320 KB of internal SRAM and no external memory of any kind. This is not a benchmark or a tech demo. It is a shipping operating system.

This engineering record documents how that became possible. Eleven engineering problems solved on the way — none of which had documented prior solutions on this hardware platform. Eight architectural patterns hardened into platform-level disciplines: the SPI Bus Treaty, the Ghost Engine task model, lazy app-state allocation, WiFi mode-locking with hard teardown, lazy boot initialization, runtime radio tuning, the three-layer ELF sandbox, and the three-tier memory architecture that allows the same OS to run from zero PSRAM through 8 MB PSRAM with a single codebase.

The deeper claim is in the methodology: name the constraint, document the protocol, make it a platform contract. The treaties this methodology produced — SPI Bus Treaty on the S3, UART Peripheral Map on the P4 — are the expressions. The methodology is the contribution. The Cardputer result is the proof that it generalizes to hardware the industry treats as incapable of running an OS at all.

Thesis

The Espressif ESP32-S3 is sold for single-purpose firmware. Smart-home endpoints. IoT modules. AI inference accelerators. The chip vendors target the customers who collectively ship hundreds of millions of devices and pay the bills. Nobody at Espressif is wrong about what their chip sells for.

The chip is also more capable than its marketing implies. Pisces Moon OS demonstrates this by shipping a multi-app operating system on three different ESP32-S3 deployment targets, including the no-PSRAM Cardputer ADV — concurrent four-radio operation, real-time logging, persistent multi-app state, and a documented sandbox for runtime third-party code. This document is the record of what that took.

The argument is not that mutexes are new, that PSRAM heap redirection is undocumented, or that the ESP-IDF is missing features. The argument is structural: no prior project on this hardware class assembled the available primitives into a multi-app OS that required all of them simultaneously, named the architectural protocols that made them coexist, and ported the result across three devices in the same chip family without breaking the protocols. Eight patterns generalized. Eleven problems solved. One methodology behind all of it.

II.

The Chip vs the Marketing

The clearest way to show what the marketing leaves unsaid is to compare the most resource-constrained Pisces Moon target — the Cardputer ADV with zero PSRAM — to its commercial framing as a single-purpose device.

Property	Cardputer ADV — Marketing	Cardputer ADV — Running Pisces Moon
Use case	Single-purpose IoT firmware	Multi-app operating system, 47 applications
Multitasking	Optional FreeRTOS task	Preemptive multitasking, dual-core split
Memory budget	320 KB shared across all uses	Static footprint 109 KB, app-lifetime heap 219 KB
Concurrent radios	One at a time, usually	WiFi STA + NimBLE observer + GPS + LoRa
Persistent background work	Not in the reference designs	Ghost Engine on Core 0, runs unconditionally
Runtime third-party code	Not supported	ELF sandbox with hardware-enforced isolation
Retail price (2026)	$50	$50

The chip in the Cardputer is the same chip in both columns. The difference is what the operating system asked of it. Architecture was spent instead of memory — the SPI Bus Treaty for shared peripheral arbitration, lazy app-state allocation for memory headroom, WiFi mode-locking for radio mutual exclusion, the ELF sandbox for runtime application safety. Architecture written by hand, in C, against hardware primitives directly.

Pisces Moon's specialization is the source of its capability. The reference firmware ecosystem optimized for general-purpose flexibility at the cost of efficiency. Pisces Moon spends architecture on specialization — Treaty mutex for one specific bus, mode-locking for one specific radio, lazy init for one specific boot path — that gives radio-handheld capability at the cost of being unable to run unrelated workloads. Both are valid optimizations. They reach different ceilings on the same chip.

III.

Three Deployment Targets

Pisces Moon OS v1.2.0 ships on three Tier 1 ESP32-S3 devices spanning the entire memory tier of the chip class. The same operating system, the same Treaty, the same Ghost Engine architecture, the same application contract — across all three.

Device	Variant	PSRAM	Display	Radio Stack	Apps
T-Deck Plus	ESP32-S3 (8M)	8 MB	ST7789 320×240	WiFi, BLE, SX1262 LoRa, ATGM336H GPS	49
T-LoRa Pager	ESP32-S3 (8M)	8 MB	ST7796U 480×222	WiFi, BLE, SX1262 LoRa, MIA-M10Q GPS, TCA8418 keyboard, DRV2605 haptic, XL9555 expander	52
Cardputer ADV	ESP32-S3FN8	None	ST7789 240×135	WiFi, NimBLE, AT6668 multi-constellation GPS; Cap LoRa-1262 adds SX1262 +27dBm	47

The same Treaty mutex protects the SPI bus on all three. The same Ghost Engine model — Core 0 owns radios, never stops, releases the foreground to Core 1 — runs on all three. The same ELF sandbox enforces runtime isolation on all three. The user-facing application contract is identical. The hardware differences are absorbed in the architectural patterns documented below.

For full hardware comparison, including peripheral pin maps and radio-specific configuration notes, see the device architecture reference.

IV.

Eight Architectural Patterns

The patterns below are what the eleven engineering problems hardened into. Each is a discipline binding on first-party OS code, third-party ELF modules, and every future hardware target. The patterns generalized; the problems were how we learned them.

Pattern 1

The SPI Bus Treaty

Recursive mutex (spi_mutex) protecting all SD, LoRa, and display SPI traffic. Four rules: hit-and-run, no extended holds, radio-traffic mutual exclusion via shared boolean, destructive operations under Treaty discipline at boot. v1.2.0 audit: 54 take sites, 56 give sites verified across 12 files. The Treaty is the public contract every component and every ELF module must obey. Published as a standalone whitepaper at spi-bus-treaty.html.

Pattern 2

The Ghost Engine Task Model

Core 0 owns the radios and runs the persistent background intelligence collection process. Core 1 owns the foreground application and the user interface. Ghost Engine task is FreeRTOS priority 7. ELF tasks are priority 5. Core 0 never stops. Core 1 freely changes state without endangering background collection. The model holds across all three deployment targets without modification.

Pattern 3 — The Turning Point

Lazy App-State Allocation

The moment the project stopped treating the chip as a microcontroller and started treating it as a computer that happened to be small. Every always-on app buffer was moved out of static memory and into app-lifetime allocations. The OS no longer reserves RAM for dormant apps. Result on the Cardputer: 81 KB of static memory returned to the heap before the user did anything. Static footprint 190 KB → 109 KB. Free heap at task-spawn 97 KB → 219 KB. The constraint was never the hardware. The constraint was an architectural assumption inherited from single-purpose firmware. Discipline: if an app's state is not in use, it does not belong in static memory.

Pattern 4

WiFi Mode-Locking with Hard Teardown

WiFi CLIENT mode (Gemini AI client) and SCANNER mode (Ghost Engine wardrive) are mutually exclusive at the OS level. Mode transitions perform full esp_wifi_stop() + esp_wifi_deinit() teardown before re-init in the new mode — hardware-honest arbitration, not software flag arbitration. The pattern is required on the no-PSRAM Cardputer ADV; on PSRAM-equipped targets it costs nothing and improves stability.

Pattern 5

Lazy Boot Initialization

SD mount, radio init, and peripheral configuration deferred out of the boot sequence into background FreeRTOS tasks that run after all other peripherals have completed init. Apps poll readiness flags with timeout before accessing the resource. Required on the T-LoRa Pager (where the boot sequence leaves SPI in a state SD CMD0 cannot complete); now the recommended pattern for any new ESP32-S3 hardware target.

Pattern 6

Runtime Radio Tuning

When build-flag tuning fails — because the Arduino-ESP32 stack ships with precompiled libbt.a that cannot be reconfigured at compile time — radio parameters are tuned at runtime via direct register writes and ESP-IDF API calls. BLE scan window/interval, WiFi PHY mode, LoRa coding rate, GPS baud rate. The pattern is required when the surface API doesn't expose what the silicon supports.

Pattern 7

Three-Layer ELF Sandbox

Hardware-enforced isolation for runtime-loadable ELF modules on a non-MMU SoC. Layer 1: custom Xtensa exception handler intercepts PMS violations before the ESP-IDF panic handler — kills the offending ELF task, returns to launcher, Ghost Engine never pauses. Layer 2: direct PMS register writes mark OS SRAM read-only during ELF execution. Layer 3: ELF runs in a dedicated FreeRTOS task at priority 5 with semaphore-based completion and configurable timeout. Buggy-resistant, not adversarial-proof. Honest limitation: PMS write-protects OS SRAM but cannot prevent an ELF from reading arbitrary addresses.

Pattern 8

Three-Tier Memory Architecture from a Single Codebase

The same source tree compiles to three memory configurations: 8 MB PSRAM (T-Deck Plus, T-LoRa Pager), 320 KB SRAM only (Cardputer ADV), and 32 MB HEX PSRAM (ESP32-P4, alpha). Memory-tier-specific behavior is gated behind #ifdef DEVICE_* defines that route allocations, set buffer sizes, and select initialization paths. The application contract is identical across tiers. The OS knows which tier it's running on; the apps do not need to.

Eleven Engineering Problems — Summary

The eleven problems are documented in full detail in the sovereignty white paper. The summary below maps each problem to the architectural pattern it produced.

#	Problem	Target	Pattern
1	SPI bus conflict (SD vs LoRa)	T-Deck Plus	SPI Bus Treaty
2	Memory exhaustion under simultaneous workloads	T-Deck Plus	PSRAM heap redirect
3	Dual-core SD synchronization corruption	T-Deck Plus	SPI Bus Treaty + radio flag
4	Dense RF environment instability	T-Deck Plus	Buffer sizing + drain loops
5	Security architecture under Treaty constraints	T-Deck Plus	Sector-overwrite Nuke
6	GPS module variation across batches	T-Deck Plus	Baud auto-detection
7	GPIO 21 dual-function collision	T-LoRa Pager port	Conditional compilation
8	SPI bus state corruption at boot	T-LoRa Pager port	Lazy boot init + cold SPI restart
9	Ghost Engine silent failure (phantom file)	T-LoRa Pager port	Lazy session-file creation
10	ELF execution without HW isolation	Platform-wide	Three-layer PMS sandbox
11	Concurrent multi-radio on no-PSRAM S3	Cardputer ADV	Lazy app-state + WiFi mode-locking + PSRAM flag isolation

The Cardputer Result — Why Problem 11 Is Different

Problems 1 through 10 were engineering work on hardware with 8 MB of PSRAM. They prove the operating system works. Problem 11 was building the same operating system on hardware with 1/25th of that memory. It proves the architecture works.

The Cardputer ADV ships with 320 KB of internal SRAM and no external memory of any kind. The ESP32-S3FN8 variant simply does not include PSRAM. When the v1.2.0 port began, the honest read of the heap measurements at the moment the wardrive task spawned — 97 KB free, with WiFi requiring 54 KB and NimBLE requiring 48 KB — was that concurrent multi-radio operation on this hardware was impossible. The industry's expectation for a no-PSRAM ESP32-S3 is single-purpose firmware. The chip is sold for that workload.

Three architectural changes — lazy app-state allocation, WiFi mode-locking with hard teardown, and PlatformIO PSRAM flag isolation — reclaimed 81 KB of static memory before the user did anything, established hardware-honest WiFi mode arbitration, and removed false PSRAM expectations from the allocator. The result: 219 KB free heap after WiFi STA init. 174 KB after NimBLE observer init. 125 KB free during active wardrive scanning with 24 BLE devices, 14 WiFi networks, and GPS lock at 27 satellites. Four concurrent radios. Real-time SD logging. Persistent multi-app state. 47 applications. On a chip with 320 KB total.

Bench validation, May 20, 2026: Mesh Messenger send/receive confirmed between T-Deck Plus and Cardputer ADV with Cap LoRa-1262 on the LongFast channel, concurrent with active wardrive logging on both devices and SD transcripts written to /mesh_logs/messages.csv. The Mesh Messenger application, the LoRa protocol stack, and the SPI Bus Treaty discipline held across the 8 MB PSRAM and no-PSRAM ends of the chip tier simultaneously.

Eight patterns generalized from the PSRAM-equipped origin devices down to the no-PSRAM extreme of the same chip class, with no compromise on the application catalog, the Bridge protocol, or the Ghost Engine invariant. The Cardputer running Pisces Moon OS is the proof that the methodology generalizes. It is also, to the best of our knowledge, the most capable multi-radio handheld operating system shipping on a no-PSRAM microcontroller in the current market.

VI.

The Methodology

The eleven problems share a structure. Each involved a behavior the hardware permits but the documentation does not constrain. Each surfaced under conditions — sustained concurrency, dense RF, hardware-variant edge cases, no-PSRAM extremes — that prior projects on this hardware had not produced. Each was solved by writing down what the unconstrained behavior must become, and enforcing it as a contract.

Three steps:

Name the constraint. The hardware permits behavior X. The system requires behavior Y. The gap is named so it can be referenced in code, reviewed in commits, and enforced at module boundaries.
Document the protocol. The constraint is written down as a finite set of rules every component must obey. The Treaty has four rules. WiFi mode-locking has three. Lazy app-state has one.
Make it a platform contract. The rules are not best practice — they are obligations binding on first-party OS code, third-party ELF modules, and any future hardware target. Violation produces immediate crashes or test failures.

The SPI Bus Treaty is one expression. The UART Peripheral Map (ESP32-P4) is another. Lazy app-state allocation (Cardputer ADV) is a third. Three protocols, three hardware contexts, one methodology. The protocols are deliverables. The methodology is the contribution.

VII.

What's Next

ESP32-P4 (alpha). First boot May 13, 2026. RISC-V dual HP cores at 360MHz, LP Sentinel Core at 40MHz, 32MB HEX PSRAM, MIPI-DSI display, ESP32-C6 radio coprocessor via SDIO. The Ghost Engine moves to dedicated silicon. The UART Peripheral Map replaces the SPI Bus Treaty as the P4 shared-resource protocol. The methodology generalizes; the specific protocol changes to match the hardware. 57 apps registered. Launcher rendering. Touch navigation operational. Pisces Moon P4 v1.2.0-alpha.

Heltec V4 (near-term). Heltec ESP32 LoRa V4 with touch screen case — ESP32-S3R2, 2 MB PSRAM, 16 MB flash, SX1262 +27dBm, multi-constellation GPS, 2800mAh battery, solar charging support. A stationary deployment variant; documentation forthcoming after firmware validation completes.

Honest v1.2.0 nuke limitation. A v1.2.0 audit identified that the nuke's hardcoded target list in security_config.h does not match the wardrive's actual session-numbered output paths. v1.2.0 nuke covers Ghost Partition index files; wardrive CSVs survive. The right shape for the fix — dynamic discovery of sensitive files at SD root and under known directories rather than maintaining a hardcoded list — is identified; research on the cleanest implementation is ongoing.

Honest v1.2.0 security limitations. v1.2.0 nuke, against the files it currently targets, defeats software file-recovery tools (PhotoRec, Recuva, TestDisk) — no sector structure remains to reconstruct from the targeted files. It does not defeat chip-off NAND forensics due to SD controller wear-leveling: an overwritten logical sector may leave its physical NAND block intact but unmapped. Additionally, the PIN compiled into firmware.bin is extractable via esptool.py read_flash on devices without Secure Boot v2 + Flash Encryption enabled. The architectural answer to both gaps points toward an encrypted Ghost Partition with key destruction (making data irrecoverable regardless of wear-leveling) and Secure Boot v2 + Flash Encryption for production deployments. Both are research-ongoing and will land when verified end-to-end, not on a fixed release timeline. A full MFA unlock-key flow is currently deferred in v1.2.0 source.

Tier 2 deployment record. The Linux distribution (Pisces Moon Linux), Android APK, Luckfox Pico 86 Panel, and cross-platform Trojan Horse application runtime have their own engineering record. They will be documented separately when the work to consolidate them reaches the same level of formal architectural completeness as the ESP32-S3 work documented here.

“This is what the chip is, when the operating system is real. The chip is the hero. The operating system is the proof.”

Pisces Moon OS — Engineering Record v1.2.0 — May 19, 2026

Eric Becker · Fluid Fortune · forge@fluidfortune.com

Companion documents: white paper · SPI Bus Treaty · device architecture

Source: github.com/FluidFortune/pisces-moon-os

What the ESP32-S3 Is,When the Operating System Is Real