NetISA

Open-source TLS 1.3 and WiFi for vintage ISA PCs.

Phase 0: Parts ordered. All firmware and CPLD logic validated in simulation (160/160 tests passing, 95/128 CPLD macrocells, positive timing slack at 16 MHz). Awaiting hardware for prototype build.

NetISA is an 8/16-bit ISA expansion card that gives IBM PC/XT, AT, 386, and 486 systems a first-class path to the modern internet. A Microchip ATF1508AS CPLD handles ISA bus timing deterministically. An Espressif ESP32-S3 handles WiFi, TLS 1.3, and the full TCP/IP stack using hardware-accelerated AES, SHA, RSA, and ECC. The retro PC sees a register-mapped coprocessor and talks to it through a small DOS TSR. No proxy box. No serial bottleneck. No software crypto on the retro CPU.

What this unlocks

HTTPS browsing from DOS via Lynx, Links, or Arachne against real TLS 1.3 sites.
Gmail, Outlook, Fastmail from Pine or Pegasus via IMAPS and SMTPS.
git clone over HTTPS on a 486 against GitHub.
Discord, Mastodon, Bluesky, Matrix via REST APIs, plus IRC over TLS for Libera.Chat.
Dropbox, OneDrive, Nextcloud sync via WebDAV over HTTPS.
MQTT over TLS for smart home publishing from an 8088.

Features

WiFi 802.11 b/g/n with external bracket-mounted antenna for reliability inside metal PC cases
Hardware-accelerated TLS 1.3 with certificate validation and session resumption
Optional Ethernet via Wiznet W5500 in v1.5 (pads and footprint present on v1 board)
Works in any ISA slot from XT through 486, 8-bit and 16-bit
DOS TSR driver with INT 63h API, under 2 KB resident
PC/TCP Packet Driver compatibility for mTCP and WATTCP applications
Full 16-bit I/O address decode with no aliasing on AT+ systems
Open source: MIT for software, CERN-OHL-P for hardware

Hardware

Bus logic: Microchip ATF1508AS CPLD in TQFP-100, 128 macrocells, native 5V operation, 10 ns pin-to-pin propagation. No level shifters on the ISA side.
Main processor: Espressif ESP32-S3-WROOM-1U-N8R8 with hardware AES-128/256, SHA-256/384/512, RSA up to 4096-bit, ECC, hardware RNG, and built-in WiFi.
Ethernet (optional, v1.5): Wiznet W5500 with 8 hardware TCP sockets, 10/100 Mbps.
Configuration: Physical jumpers for base address, IRQ, and safe mode. No Plug-and-Play.

Design verification

160 of 160 Verilog testbench tests passing (iverilog), covering address decode, IOCHRDY wait states, watchdog timeout, IRQ state machine retrigger, back-to-back cycles, mid-cycle reset, status flag merge, and alias rejection.
95 of 128 CPLD macrocells used, 61 of 84 pins, fits EPM7128STC100-15 clean on Quartus II 13.0sp1.
Timing slack: +39.5 ns setup, +5.0 ns hold, +26.25 ns minimum pulse width at 16 MHz. Zero total negative slack.
Zero bus contention events across the entire simulation suite.
Lint clean on iverilog -Wall.

Looking ahead

v1 ships as a DOS and Windows 3.x peripheral using Session Mode (the card owns TCP/IP and TLS, host talks at the session level). The firmware and CPLD are deliberately architected so v2 can add native drivers for Windows 95/98/NT NDIS, Linux kernel net_device, and NetBSD/FreeBSD, without hardware changes. v2.5 adds Linux kTLS offload, matching the architecture Mellanox and Chelsio use for their datacenter TLS-capable NICs, brought to a 486.