MicroPythonOS is a lightweight, fast, and versatile operating system designed to run on microcontrollers like the ESP32 and desktop systems. With a modern Android-like touch screen UI, App Store, and Over-The-Air updates, it’s the perfect OS for innovators and developers.
↫ MicroPytonOS’ website
It’s quite neat to see this running in such a constrained environment, especially considering it comes with a graphical user interface, some basic applications, and niceties like OTA updates and an application repository. As the name implies, MicroPythonOS uses native MicroPython for application and driver development, making cross-platform portability from microcontrollers to regular PCs a possibility. It’s built on the MicroPython runtime, with LVGL for graphics, packaged by the lvgl_micropython project.
It’s still relatively early in development, but it’s completely open source so anyone can help out and improve the project. I’m personally not too well-versed in the world of microcontrollers like the popular ESP32, so I’m not entirely sure just how capable other operating systems and platforms built on top if it are. This particular operating system seems to make it rather easy and straightforward for anyone to build and distribute an application for such microcontrollers, to a point where even an idiot like myself could relatively easily buy, say, an ESP32 kit with a display and assemble my own collection of small applications.
To repeat myself, it simply looks neat.
This is neat. But don’t count these small microcontrollers out in more complex tasks.
It can run Linux (with some effort):
https://github.com/ESP32DE/Boot-Linux-ESP32S3-Playground
It can of course run DOOM:
https://www.reddit.com/r/esp32/comments/6kzca7/doom_on_the_esp32/
And do much more.
The sad thing is British (Raspberry Pi) and Italian (Arduino) either sold out, or moved to premium segments, while the cheap Chinese ESP32 took their place. Well it is sad, because we know ESP32 comes with some backdoors unfortunately: https://www.espressif.com/en/news/response_esp32_bluetooth
sukru,
Really awesome stuff!
Is there proof? I ask because the link you provided actually says the opposite and says the author had to retract that designation. It seems the reporting may have been a false positive.
https://hackaday.com/2025/03/10/the-esp32-bluetooth-backdoor-that-wasnt/
The explanation that these were low level programming and firmware update commands sound plausible to me. Most devices have programming interfaces to do this, It doesn’t rise to level of a “backdoor”. If it had a covert remote channel, things would be different.
Of course the risk is always there, it’d be nearly impossible to prove a CPU/microcontroller doesn’t have a backdoor, Most of the time we just assume they don’t but we don’t actually know. Intel cpus with VPRO suffered vulnerabilities that were technically capable of being used as backdoors. For US companies we call these “remote vulnerabilities” and for Chinese companies we call them “backdoors”, haha. Both are technically the same thing, the difference is intent, which there’s no way of knowing.
Alfman,
Yes, I shared their official response to accusations on purpose. Did not want to do this one sided. (What was the saying? “do not attribute to malice what can be explained by incompetence”)
These are not “backdoor” in traditional sense, but … they can be used to make other attacks worse. If you can somehow run code on the esp32 (say using a http server vulnerability), they can then escalate further. These give direct access to memory after all.
Why they were left behind?
Possibly oversight. Still having millions of devices vulnerable is not a good place to be in.
sukru,
I honestly don’t think it should be called a backdoor at all. Of course if someone manages to get low level access to the host, they could exploit these low level features, but the low level features themselves are not the backdoor.. Otherwise by that definition practically every device in existence would have a backdoor:
Every SSD from every manufacturer = backdoor.
Every motherboard = backdoor.
Kids toys with USB programming = backdoor.
All the wifi adapters = backdoor.
Every router on the market = backdoor
ESP competitors including basic stamps, atmega/arduinos, etc = backdoor
Heck even an AT modem = backdoor
etc.
I find it more harmful than useful to designate such features as “backdoors” since the risk of hyperbole goes to 100%.
I recognize that programmers have access to lots of low level features that could be maliciously exploited, so we agree there. But in my mind to be called a “backdoor” it has to make the leap from merely being a feature that’s accessible through normal programming channels to being a feature that enables a hacker to gain control while bypassing normal programming boundaries. In other words: it’s not a back door when the hacker is using the front door to control the device.