Cybersecurity Roboticsthe leading robot cybersecurity lab

The cybersecurity of a humanoid robot

arXiv · 2025

Abstract. The rapid advancement of humanoid robotics presents unprecedented cybersecurity challenges that existing theoretical frameworks fail to adequately address. This report presents a comprehensive security assessment of a production humanoid robot platform, bridging the gap between abstract security models and operational vulnerabilities. Through systematic static analysis, runtime observation, and cryptographic examination, we uncovered a complex security landscape characterized by both sophisticated defensive mechanisms and critical vulnerabilities. Our findings reveal a dual-layer proprietary encryption system (designated “FMX”) that, while innovative in design, suffers from fundamental implementation flaws including the use of static cryptographic keys that enable offline configuration decryption. More significantly, we documented persistent telemetry connections transmitting detailed robot state information—including audio, visual, spatial, and actuator data—to external servers without explicit user consent or notification mechanisms. These discoveries validate theoretical predictions about cross-layer vulnerability propagation while exposing implementation-specific weaknesses tha

Full text transcribed from the arXiv (ar5iv) HTML of the original paper.

Abstract

The rapid advancement of humanoid robotics presents unprecedented cybersecurity challenges that existing theoretical frameworks fail to adequately address. This report presents a comprehensive security assessment of a production humanoid robot platform, bridging the gap between abstract security models and operational vulnerabilities. Through systematic static analysis, runtime observation, and cryptographic examination, we uncovered a complex security landscape characterized by both sophisticated defensive mechanisms and critical vulnerabilities.

Our findings reveal a dual-layer proprietary encryption system (designated “FMX”) that, while innovative in design, suffers from fundamental implementation flaws including the use of static cryptographic keys that enable offline configuration decryption. More significantly, we documented persistent telemetry connections transmitting detailed robot state information—including audio, visual, spatial, and actuator data—to external servers without explicit user consent or notification mechanisms. These discoveries validate theoretical predictions about cross-layer vulnerability propagation while exposing implementation-specific weaknesses that could not be anticipated through modeling alone.

The assessment demonstrates that current humanoid platforms, despite employing defense-in-depth principles and hierarchical service architectures, remain vulnerable to both traditional cyber attacks and novel robot-specific exploitation vectors. Beyond documenting passive surveillance risk, we operationalized a Cybersecurity AI agent on the Unitree G1 to map and prepare exploitation of its manufacturer’s cloud infrastructure, illustrating how a compromised humanoid can escalate from covert data collection to active counter-offensive operations. We argue that securing humanoid robots requires a paradigm shift toward Cybersecurity AI (CAI) frameworks that can adapt to the unique challenges of physical-cyber convergence. This work contributes empirical evidence essential for developing robust security standards as humanoid robots transition from research curiosities to operational systems in critical domains.

Contents

Chapter 1 Introduction

The State of Robot Cybersecurity

To understand the cybersecurity challenges in robotics, we must first understand their fundamental architecture. Robots are networks of networks, with sensors capturing data, passing to compute technologies, and then on to actuators and back again in a deterministic manner . These networks can be understood as the nervous system of the robot, passing across compute Nodes that represent neurons. Like the human nervous system, real-time information across all these computational Nodes is fundamental for the robot to behave coherently. “Robot brains” are built with this same philosophy. Behaviors take the form of computational graphs, with data flowing between Nodes operating intra-process, inter-process and across physical networks (communication buses), while mapping to underlying sensors, compute technologies and actuators.

The Robot Operating System (ROS) is a robotics framework for robot application development that exemplifies this architecture. ROS enables robotics developers to build these computational graphs and create robot behaviors by providing libraries, a communication infrastructure, drivers and tools to put it all together. It provides an open source codebase with a commercially friendly license that helps roboticists reduce the effort to bring up robot behaviors . This architectural philosophy, while enabling rapid development and modular design, also introduces security considerations at every layer of the computational graph.

The security challenges facing humanoid robots extend far beyond traditional computing systems. As previously discussed at , there exists a deep connection between robotic architecture and cybersecurity in robotics—more intimate than initially perceived. Robotic architecture focuses on creation, on shaping behaviors and possibilities, while cybersecurity in robotics is oriented towards offense or protection, allowing what is built to be defended. This synergy creates a unique balance when cybersecurity is approached from a knowledge of systems architecture and with a dual perspective: defense and attack, both essential.

As noted in the comprehensive review , robots are often shipped insecure, with defensive security mechanisms still in their early stages. The inherent complexity of robotic systems makes protection costly, and vendors frequently fail to take timely responsibility, extending zero-day exposure windows to several years on average. The urgency of this challenge has only intensified with recent advances in humanoid robotics. By 2020, researchers had already classified more than 1,000 vulnerabilities in robotic systems, yet the field remained fragmented, lacking both standardized assessment methodologies and comprehensive defensive frameworks. The introduction of specialized tools like the Robot Vulnerability Database (RVD) and offensive security frameworks represents significant progress, but the gap between theoretical models and operational security remains vast. This contribution seeks to bridge this gap by providing empirical evidence of security mechanisms and vulnerabilities in a production humanoid platform.

Motivation: The Humanoid Robot Revolution and Its Reality

The year 2024 marked an inflection point in humanoid robotics, with unprecedented investment and media attention suggesting an imminent revolution. Tesla announced plans to produce 5,000 Optimus robots in 2025 , Figure secured BMW as a customer for its Figure 02 platform , and venture capital poured billions into the sector. Yet beneath this enthusiasm lies a more sobering reality: the market for humanoid robots remains almost entirely hypothetical, with even the most successful companies deploying only small numbers of robots in carefully controlled pilot projects.

Industry analysts and researchers suggest that meaningful deployment of humanoids in professional and public spaces may still be a decade away. Goldman Sachs projects the humanoid robot market will reach $38 billion by 2035 , while IDTechEx estimates $30 billion in the same timeframe —significant figures, but ones that acknowledge the lengthy development and adoption timeline ahead. As IEEE Spectrum noted in late 2024, future projections appear based on “an extraordinarily broad interpretation of jobs that a capable, efficient, and safe humanoid robot—which does not currently exist—might conceivably be able to do” .

Despite this temporal gap between hype and reality, the proliferation of research and investment in advanced humanoid robots presents immediate cybersecurity challenges that demand attention. The Unitree G1, along with platforms from Tesla, Figure, Agility Robotics, and others detailed at C, represents a new generation of highly sophisticated machines combining biomimetic mechanical design with advanced artificial intelligence. These systems are being developed and tested today, establishing architectural patterns and security practices that will persist as the technology matures.

Why Humanoid Robot Security Cannot Wait

While widespread deployment may be years away, humanoid robots are already entering limited trials across critical sectors, establishing security precedents that will be difficult to change once deployed at scale:

The Unitree G1, a state-of-the-art humanoid platform, exemplifies the complexity of modern robotic systems that combine sophisticated hardware with intricate software architectures. With capabilities including:

The Unique Cybersecurity Challenges of Humanoids

The convergence of several factors makes humanoid robot security a critical and distinct challenge:

  1. 1.

    Physical-Cyber Convergence: Unlike traditional computing systems, compromised robots can cause physical harm. The safety-security nexus in robotics means that cybersecurity failures can directly translate to safety incidents .

  2. 2.

    Multi-modal Data Collection: Humanoid robots integrate numerous sensors—cameras, microphones, LiDAR, force sensors—creating vast attack surfaces for data exfiltration and sensor spoofing attacks .

  3. 3.

    Persistent Connectivity: Modern humanoids maintain continuous connections to cloud services for telemetry, updates, and remote operation. Our analysis revealed persistent connections to external servers, transmitting detailed robot state information and in violation of the user’s privacy.

  4. 4.

    Autonomous Decision-Making: The integration of AI and machine learning creates new attack vectors through adversarial inputs and model manipulation. As highlighted in recent work on Cybersecurity AI , the gap between automation and true autonomy introduces novel security considerations.

  5. 5.

    Supply Chain Complexity: International manufacturing, third-party components, and diverse software stacks introduce multiple trust boundaries. The Unitree G1, for instance, combines Chinese hardware with open-source middleware (ROS 2, DDS) and proprietary control software.

Research Context and Contributions

This work presents a comprehensive security assessment of the Unitree G1 humanoid robot, contributing to the nascent but critical field of humanoid robot cybersecurity. Building upon the foundations established by previous work in robot vulnerability assessment and the emerging frameworks for offensive robot security , we provide empirical evidence of security mechanisms and vulnerabilities in a production humanoid platform.

Our investigation employs a multi-faceted approach combining:

This assessment reveals both sophisticated security measures—including a novel dual-layer encryption system and hierarchical service management—and critical vulnerabilities that have implications for the broader robotics industry. Most significantly, we demonstrate how theoretical security concerns translate into exploitable vulnerabilities in real-world humanoid systems.

The Limits of Systematization in Emerging Fields

The field of humanoid robot security faces a basic problem: how can we systematize knowledge that barely exists? Recent efforts to establish comprehensive security frameworks, such as the seven-layer model proposed by Surve et al. , provide valuable theoretical scaffolding. However, as the authors themselves acknowledge, “no major, publicly documented cyberattacks have targeted humanoids to date.” This absence of real-world incidents reveals a critical gap—we are attempting to categorize and defend against threats that remain largely hypothetical.

The reader must note that the systematization of knowledge (SoK) methodology, while valuable in mature fields with established attack patterns and defense mechanisms, encounters significant limitations when applied to nascent domains. In traditional cybersecurity contexts, SoK papers might synthesize decades of incidents, vulnerabilities, and countermeasures. For humanoid robotics, however, the empirical foundation is conspicuously absent. The 89 studies analyzed by Surve et al. predominantly focus on isolated vulnerabilities—LiDAR spoofing , camera blinding , or acoustic gyroscope manipulation —rather than comprehensive system compromises observed in production environments.

This lack of real-world data creates a problem: security frameworks are being built without the actual evidence needed to prove their ideas work. The danger of premature systematization extends beyond academic exercises. As Quarta et al. demonstrated in their analysis of industrial robot controllers , theoretical vulnerabilities often pale in comparison to the implementation flaws discovered through hands-on investigation. Their empirical work revealed firmware backdoors and authentication bypasses that no amount of abstract modeling would have predicted.

The history of computer security demonstrates that robust defenses emerge from understanding actual attacks, not theoretical possibilities. The Morris Worm informed modern network security; Stuxnet reshaped industrial control system protection; WannaCry transformed patch management practices. For humanoid robotics to develop effective security measures, we need similar empirical foundations.

This is not to diminish the value of systematization efforts. Frameworks like the seven-layer model provide essential vocabulary and conceptual structure. However, they must be complemented—and ultimately validated—by deep technical investigations of actual systems. As previously discussed at , “the gap between theoretical security models and operational robots is vast and growing.”

Our investigation of the Unitree G1 represents this empirical approach. Rather than theorizing about potential vulnerabilities, we:

This methodology yields actionable insights that abstract frameworks cannot provide.

Research Context and Contributions

This work presents a comprehensive security assessment of the Unitree G1 humanoid robot, contributing to the nascent but critical field of humanoid robot cybersecurity. Building upon the foundations established by previous work in robot vulnerability assessment and the emerging frameworks for offensive robot security , we provide empirical evidence of security mechanisms and vulnerabilities in a production humanoid platform. Our investigation employs a multi-faceted approach combining:

This assessment reveals both sophisticated security measures—including a novel dual-layer encryption system and hierarchical service management—and critical vulnerabilities that have implications for the broader robotics industry. Most significantly, we demonstrate how theoretical security concerns translate into exploitable vulnerabilities in real-world humanoid systems. Ultimately, we uncover how humanoids can be used as attack vectors in two ways: a) as trojan horses for data exfiltration and b) as a platform for system compromise.

Document Organization

This report is organized into five main chapters followed by detailed technical appendices:

Main Chapters:

Technical Appendices:

Chapter 2 Humanoid Architecture

Introduction

This chapter provides a comprehensive reverse engineering and empirical analysis of the Unitree G1 humanoid robot’s architecture. By examining the actual implementation of service orchestration, inter-process communication, and external connectivity, we provide concrete evidence of how theoretical vulnerabilities translate into exploitable attack surfaces. Our analysis reveals previously undocumented persistent telemetry connections, proprietary encryption mechanisms, and architectural decisions that create cascading security implications across the robot’s ecosystem. This empirical approach not only validates aspects of existing security models but also exposes implementation-specific vulnerabilities that theoretical frameworks cannot anticipate.

Teardown of a Humanoid Robot

To understand the physical attack surface and hardware vulnerabilities of modern humanoid robots, we performed a systematic teardown of the Unitree G1 platform. This analysis reveals the critical hardware components, their interconnections, and potential security implications arising from the physical implementation.

Physical Disassembly Analysis

The following figures document our progressive teardown of the Unitree G1 humanoid robot, revealing increasingly detailed views of the internal architecture and critical components.

Refer to caption
Figure 2.1: Full humanoid robot (Unitree G1) in support harness. The external chassis shows no visible electronic components, presenting a sealed exterior designed to protect internal systems from environmental factors and physical tampering. The support harness mechanism is visible, used during testing and maintenance procedures.
Refer to caption
Figure 2.2: Upper torso with protective cover intact. The chest plate serves as the primary access point to the robot’s central compute and power management systems. External harness mounting points and sensor arrays are visible, but no internal electronics are exposed at this stage.
Refer to caption
Figure 2.3: Chest cover opened revealing main PCB. Visible components include: (1) Active cooling fan module for thermal management, (2) Main control board with multiple JST-style connectors, (3) Power distribution circuitry with visible capacitors, (4) Motor driver interfaces and sensor connection points. This PCB serves as the robot’s central compute and power distribution hub, orchestrating all subsystem communications.
Refer to caption
Figure 2.4: Close-up of main PCB architecture. Key components visible: (1) Large heatsink covering the main SoC/CPU complex, (2) Multiple white JST connectors for modular connectivity, (3) Power regulation MOSFETs arranged in clusters, (4) Motor driver circuitry with dedicated power stages, (5) Sensor interface connectors for proprioceptive feedback. Internal wiring harness references suggest standardized connection protocols between subsystems.
Refer to caption
Figure 2.5: Upper PCB section focused on power management. Critical power components: (1) High-current power MOSFETs for motor control, (2) Kapton tape insulation on high-voltage wire bundles, (3) Dedicated cooling fan for power section, (4) Multiple power regulation stages, (5) Bulk capacitors for power filtering and stability. This section handles the significant power requirements of humanoid locomotion and manipulation.
Refer to caption
Figure 2.6: Macro view of main processing complex. Silicon identification: (1) Rockchip RK3588 SoC - 8-core ARM Cortex-A76/A55 processor, (2) FORESEE eMMC - Embedded NAND flash storage, (3) SK hynix LPDDR4/5 RAM - High-bandwidth system memory, (4) WiFi/BT Module - Shielded RF section (left side), (5) PMICs - Multiple power management integrated circuits, (6) 270µF/16V capacitor - Bulk power filtering. The RK3588 serves as the primary compute platform for high-level control, AI inference, and system orchestration.

Security Implications from Hardware Analysis

The physical teardown reveals several security-relevant architectural decisions and potential vulnerability vectors:

Attack Surface Identification

The exposed hardware architecture presents multiple attack vectors:

  1. 1.

    Physical Access Points: The chest cavity provides direct access to the main control board, enabling hardware-level attacks if physical security is compromised.

  2. 2.

    Modular Connectivity: The extensive use of JST connectors, while facilitating maintenance, creates potential insertion points for malicious hardware implants or signal injection attacks.

  3. 3.

    Unshielded Components: Several critical ICs lack tamper-evident packaging or hardware security modules, potentially enabling chip-off attacks or side-channel analysis.

  4. 4.

    Power Management Complexity: The multi-stage power regulation system, while necessary for motor control, introduces potential fault injection opportunities through voltage glitching.

RK3588-Specific Vulnerabilities

Our analysis of the Rockchip RK3588 SoC and its surrounding ecosystem revealed multiple security concerns documented in Table 2.1.

Table 2.1: RK3588 Platform Security Vulnerabilities and Attack Vectors
ID / CVE Description Affects RK3588 Severity Mitigation
CVE-2023-52660 Improper error handling in rkisp1 driver ISP routines allows local DoS through malformed media device operations Yes: Core driver for RK3588 camera/video subsystem Medium: Local DoS potential Patch kernel driver; restrict media device access to trusted processes
CVE-2025-38081 Out-of-bounds register access in spi-rockchip driver when using GPIO chip selects with indices beyond hardware limits Yes: Affects all RK3588 SPI interfaces High: Memory corruption, potential privilege escalation Apply kernel patches; validate GPIO CS configuration; update to patched kernel version
Secure Boot Weaknesses Limited public documentation on RK3588 secure boot implementation; reverse-engineered “ramboot” component shows exploitable gaps in chain of trust Critical: Boot security is fundamental to platform integrity Critical: Complete firmware compromise possible Enable full secure boot chain; protect signing keys; audit bootloader implementation; monitor vendor security advisories
TEE Documentation Gaps TrustedFirmware-A supports RK3588 but threat model parameters incomplete; security boundaries poorly documented Yes: TEE is present but configuration uncertain Medium: Misconfiguration risks Use latest TF-A version; conduct security audit; implement defense-in-depth beyond TEE
CVE-2024-57256 U-Boot filesystem vulnerabilities allow malicious storage modifications to execute untrusted code before verified boot engages Yes if using vulnerable U-Boot versions Critical: Pre-boot compromise Enable verified boot; cryptographically protect filesystem; update U-Boot; secure physical storage access
Implications for Humanoid Security

The hardware teardown and vulnerability analysis reveal critical security considerations for humanoid robot deployments:

The combination of accessible physical interfaces, documented SoC vulnerabilities, and limited secure boot implementations creates a compound risk profile. An attacker with physical access could potentially: • Extract firmware and cryptographic materials through unprotected debug interfaces • Inject malicious code at the bootloader level, bypassing higher-level security controls • Perform side-channel attacks on the unshielded RK3588 during cryptographic operations • Compromise the robot’s trusted execution environment through documented TEE weaknesses

These hardware-level vulnerabilities serve as foundational attack vectors that can undermine the entire security architecture described in subsequent sections. The lack of hardware security modules, combined with the RK3588’s known vulnerabilities, suggests that physical security must be a primary consideration in any deployment scenario.

The transition from hardware to software security boundaries occurs at multiple levels—bootloader, kernel, and userspace—each inheriting the security weaknesses of the layer below. This cascading vulnerability model, empirically validated through our teardown, confirms theoretical predictions about cross-layer attack propagation in humanoid systems while revealing implementation-specific weaknesses that purely theoretical analyses would miss.

High-Level Systems Architecture

After an initial hardware analysis, we turn our attention to the software architecture of the Unitree G1 humanoid robot. Based on our observations, Figure 2.7 summarizes the ecosystem architecture. The system comprises three primary domains: Cloud Services (including MQTT server, STUN/TURN service, and HTTP Web API), the mobile app/external interfaces (with WebRTC and BLE modules), and the robot itself with dual PC architecture. Communication paths include WebRTC data channels (with signaling via STUN/TURN and HTTP), BLE connections to upper_bluetooth, DDS/RTPS on base ports 7400/7401, and MQTT publish/subscribe channels. The master service orchestrates this ecosystem through layered configuration protection and service inventory management.

Figure 2.7: Humanoid Robot Architecture: Internal system structure showing hardware layer, Linux kernel, master service orchestration, and service hierarchy (left), and high-level ecosystem with communication paths showing authorized cloud services, telemetry servers, and internal components including obstacle avoidance, path planning, and speech recognition with DDS/ROS2 compatibility (right). Critical finding: Persistent telemetry connections to external servers transmit robot state and sensor data without explicit user consent.

Internal Service Architecture

System Overview

The following ASCII diagram shows the high-level Unitree G1 system layout captured during runtime introspection (Ubuntu 20.04.5 LTS; Linux 5.10.176-rt86+, ARM64). It highlights the hardware base, soft real-time kernel, and the master service that orchestrates Priority, Initialization, and Runtime services based on our system architecture analysis and runtime observations.

+---------------------------------------------------------------------+| UNITREE G1 ROBOT SYSTEM |+---------------------------------------------------------------------+| Hardware Layer (ARM64) || CPU: ARMv8 | RAM: 8GB | Storage: eMMC | Network: ETH/WiFi/BT |+---------------------------------------------------------------------+ |+---------------------------------------------------------------------+| Linux Kernel 5.10.176-rt86+ || Real-Time Preemption Patches |+---------------------------------------------------------------------+ |+---------------------------------------------------------------------+| MASTER SERVICE (ROS 2 Foxy, CycloneDDS 0.10.2, EOL May 2023) || Service Orchestration & Management || +--------------------------------------------------------------+ || | Config: /unitree/module/master_service/master_service.json | || | Socket: /unitree/var/run/master_service.sock | || | Encryption: FMX (Blowfish + LCG) | || +--------------------------------------------------------------+ |+---------------------------------------------------------------------+ | +---------------------------+---------------------------+ | | |+-------v------+ +---------v--------+ +--------v------+| Priority | | Initialization | | Runtime || Services | | Services | | Services |+--------------+ +------------------+ +---------------+| * net-init | | * pd-init | | * ai_sport || * ota-box | | * lo-multicast | | * motion_ || * ota-update | | * upper_bluetooth| | switcher |+--------------+ | * iox-roudi | | * robot_state_service | * basic_service | | * state_ | +------------------+ | estimator | | * ros_bridge | | * chat_go | | * vui_service | | * webrtc_* | +---------------+

Communication Middleware Stack

The G1 uses a multi-protocol middleware: DDS/Iceoryx for high-throughput IPC, a ROS 2 Foxy powered by CycloneDDS (released June 2020, EOL May 2023 - outdated and unsupported), and a WebRTC stack (signal server on port 8081). Shared memory transport is visible under /dev/shm/iceoryx_*. Our network analysis confirmed active endpoints and communication patterns.

Something worth noting is that the G1 uses a ROS 2 Foxy (released June 2020, EOL May 2023 - outdated and unsupported) powered by CycloneDDS 0.10.2, which dates from approximately 2022, missing 3+ version releases.

+---------------------------------------------------------------------+| Communication Infrastructure |+---------------------------------------------------------------------+| || +----------------+ +----------------+ +----------------+ || | DDS/Iceoryx | | ROS 2 Foxy | | WebRTC | || | (iox-roudi) | | (CycloneDDS | | Bridge | || | Port: 7400 | | 0.10.2) | | Port: 8081 | || +----------------+ +----------------+ +----------------+ || | | | || +--------------------+--------------------+ || | || Shared Memory IPC || (/dev/shm/iceoryx_*) |+---------------------------------------------------------------------+

Core Services Architecture

The motion stack centers on ai_sport (primary controller), supported by state_estimator, motion_switcher, and the robot_state broadcaster. Arms are managed by dex3_service_l/r. Resource usage measurements confirm these values from our telemetry analysis.

1. Motion Control Subsystem

+---------------------------------------------------------------------+| Motion Control Stack |+---------------------------------------------------------------------+| || +-----------------------------------------+ || | ai_sport (PID 1603) | || | CPU: 145% | Mem: 135MB | || | Primary motion planning & control | || +-----------------------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || motion_switcher state_estimator robot_state || (PID 1164) (PID 1304) (PID 1225) || CPU: 3.2% CPU: 30.4% CPU: 5.1% || || +----------------+ +----------------+ || | dex3_service_l | | dex3_service_r | (Arm controllers) || +----------------+ +----------------+ || || +----------------+ || | g1_arm_example | (Example arm control service) || +----------------+ |+---------------------------------------------------------------------+

2. Human–Machine Interface

Voice and chat services operate continuously; memory usage of vui_service aligns with microphone capture observed during our telemetry assessment. Conversational back-end traffic for chat_go is visible in the snapshot collected (port 6080 to 8.222.78.102).

+---------------------------------------------------------------------+| Human-Machine Interface (HMI) |+---------------------------------------------------------------------+| || +------------------------------------------+ || | vui_service (PID 1413) | || | Voice User Interface (14.2% Memory) | || | /unitree/module/vui_service/ | || +------------------------------------------+ || || +------------------------------------------+ || | chat_go (PID 1069) | || | Natural Language Processing | || | Python-based service | || +------------------------------------------+ || || +------------------------------------------+ || | video_hub (disabled) | || | Video streaming service | || +------------------------------------------+ |+---------------------------------------------------------------------+

3. Connectivity Services

The WebRTC bridge cluster (master, multicast responder, and signal server) exposes local signaling on port 8081. Bluetooth stack combines bluetoothd, btgatt_server, and an upper_bluetooth helper.

+---------------------------------------------------------------------+| Connectivity Services |+---------------------------------------------------------------------+| || +------------------------------------------+ || | WebRTC Bridge (PID 1431) | || | webrtc_bridge (Master) | || | webrtc_multicast_responder (PID 1449) | || | webrtc_signal_server (PID 1465) | || | Port: 8081 (Signal Server) | || +------------------------------------------+ || || +------------------------------------------+ || | Bluetooth Services | || | bluetoothd (PID 466) | || | btgatt-server (PID 765, 913) | || | upper_bluetooth service | || +------------------------------------------+ || || +------------------------------------------+ || | Network Management | || | net_switcher service | || | Interfaces: eth0, wlan0 | || | IPs: 192.168.123.161, 192.168.8.193 | || +------------------------------------------+ |+---------------------------------------------------------------------+

4. System Services

OTA components (ota_box, ota_update) and basic_service are supervised by the master service. Live TCP sessions show persistent links to external servers on port 17883 (ota_boxed, robot_state_service).

+---------------------------------------------------------------------+| System Services |+---------------------------------------------------------------------+| || +------------------------------------------+ || | OTA Update System | || | ota_box service | || | ota_update service | || | Socket: /unitree/var/run/ota_boxed.sock| || +------------------------------------------+ || || +------------------------------------------+ || | Basic Service | || | System initialization | || | Hardware management | || +------------------------------------------+ || || +------------------------------------------+ || | Bashrunner Service | || | Script execution framework | || +------------------------------------------+ |+---------------------------------------------------------------------+

Hardware Interfaces

Observed devices include six video nodes, multiple I2C buses, and Ethernet/Wi-Fi NICs. Robot identifiers (codes, MACs) and hardware constants are documented in the evidence appendix.

+---------------------------------------------------------------------+| Hardware Interfaces |+---------------------------------------------------------------------+| || Cameras: || * /dev/video0-5 (6 video devices) || || I2C Buses: || * /dev/i2c-0, i2c-2, i2c-4, i2c-6 || || Network: || * eth0: 192.168.123.161/24 (MAC: 7e:1d:75:60:f5:89) || * wlan0: 192.168.8.193/24 (MAC: 78:22:88:a7:41:ed) || |+---------------------------------------------------------------------+

Service Launch Sequence

Launch ordering as instantiated by master_service: Priority → Initialization → Runtime. This aligns with process trees and logs from our security assessment.

Start | +-> master_service | | | +-> Priority Services (net-init, ota-box, ota-update) | | | +-> Initialization Services | | +-> pd-init | | +-> lo-multicast | | +-> upper_bluetooth | | +-> iox-roudi (DDS) | | +-> basic_service | | | +-> Runtime Services | +-> motion_switcher | +-> state_estimator | +-> robot_state | +-> ai_sport | +-> ros_bridge | +-> dex3_service_l/r | +-> g1_arm_example | +-> chat_go | +-> vui_service | +-> webrtc_bridge | +-> net_switcher | +-> bashrunner | +-> System Ready

Inter-Process Communication

The platform relies on multiple mechanisms.

Unix domain sockets DDS/Iceoryx shared memory ROS 2 WebRTC signaling Security Architecture

Dual-layer configuration protection (“FMX”) combines a Blowfish layer and a device-bound LCG transform. Process hardening includes self-ptrace and supervised restarts.

+---------------------------------------------------------------------+| Security Architecture |+---------------------------------------------------------------------+| || Configuration Protection: || * FMX Encryption (Dual-layer) || - Layer 2: Blowfish ECB (128-bit key) || - Layer 1: LCG Stream Cipher (w/ hardware-bound seed) || || Process Protection: || * Self-ptrace anti-debugging || * Service monitoring & auto-restart || * Maximum 30 protection restarts || || Network Security: || * SSH (Port 22) - Disabled by service || * WebRTC encryption for remote access || * Bluetooth GATT security |+---------------------------------------------------------------------+

Performance Metrics

Representative CPU and memory usage of key services (aggregated from runtime snapshots):

CPU (top consumers) Memory (top consumers) File System Layout

Key directories for binaries, configuration, runtime sockets, and identifiers:

/unitree/+-- module/ # Service binaries| +-- master_service/| +-- ai_sport/| +-- motion_switcher/| +-- robot_state/| +-- state_estimator/| +-- ...+-- etc/ # Configuration| +-- master_service/| +-- service/| +-- cmd/+-- var/| +-- run/ # Runtime sockets+-- sbin/ # System binaries| +-- iox-roudi| +-- mscli+-- robot/ +-- basic/ # Hardware identifiers

Live telemetry. Snapshot shows persistent TCP sessions to external servers on port 17883 by robot_state_service and ota_boxed, and a chat_go connection on port 6080.

Chapter 3 Cybersecurity of Humanoids

Details regarding initial access methods to the Unitree G1 robot system are intentionally withheld from this report for safety and security reasons. The techniques used to gain initial system access involve sensitive information that could potentially be misused if publicly disclosed. Our analysis focuses on the security architecture and vulnerabilities discovered after obtaining research access in our own robot.

System Architecture Analysis

Process Hierarchy Discovery

Initial investigation revealed a sophisticated service management architecture centered around the master_service binary and as described in Figure 3.1.

Figure 3.1: Process hierarchy of the Unitree G1 robot showing service management architecture

Service Categories Identified

The analysis identified distinct service categories with different startup priorities, as shown in Table 3.1.

Table 3.1: Service categories and their characteristics in the G1 robot
Category Count Purpose Start Priority
Priority 2 Core infrastructure 1 (Highest)
Init 7 System initialization 2
Runtime 13 Application services 3
Manual 3 Testing/debugging On-demand
Forbidden 1 Disabled services Never

Initialization Sequence

The robot follows a carefully orchestrated boot sequence with dynamic credential generation, as shown in Figure 3.2.

Figure 3.2: G1 robot initialization sequence showing dynamic credential generation phase
Key Finding: Password initialization (pw-init) occurs on every boot, indicating dynamic credential management that prevents static password exploitation.

Service Orchestration Investigation

Master Service Analysis

The master_service binary (9.2MB, ARM aarch64) serves as the central orchestrator:

1File: ELF 64-bit LSB pie executable, ARM aarch64 2BuildID: [REDACTED] 3Dependencies: libpthread, libcrypto, libstdc++, libc 4Symbols: Not stripped (12,847 symbols found)
Listing 1: Binary properties of master_service

Reverse Engineering Results

Through systematic analysis, we reconstructed the service architecture with high confidence. The core classes identified include:

Core Classes Identified
1namespace unitree { 2namespace ms { 3 class MasterService : public ServiceBase { 4 // Service management 5 std::map child_services_; 6 std::map child_commands_; 7 8 // RPC interface (12 handlers) 9 void RPC_StartService(); 10 void RPC_StopService(); 11 void RPC_RestartService(); 12 // ... 9 more handlers 13 }; 14 15 class ChildExecutor { 16 // Process control 17 int StartService(const string& name); 18 int StopService(const string& name); 19 int ExecuteCmd(const string& name); 20 }; 21}}
Listing 2: Reconstructed master service core structure. Structure verified against runtime logs. The complete reconstructed source code is provided in Appendix A.2.
Configuration Loading Process

The configuration loading process employs the Mixer encryption system, as shown in Figure 3.3.

Figure 3.3: Configuration loading process with Mixer encryption

Encryption System Analysis

Mixer Encryption Architecture

The proprietary “Mixer” system protects configuration files using a sophisticated multi-layer approach. All encrypted configuration files are stored in /unitree/etc/master_service/, the FMX (File MiXer) format extracted from files including master_service.json, prio, init, once, manual, and forbid.

FMX File Format Structure

The FMX container format consists of a 32-byte header followed by the encrypted payload:

Figure 3.4: FMX container format structure extracted from /unitree/etc/master_service/ files

Key observations from the header analysis:

Encryption Layers

The Mixer system employs a three-layer encryption scheme that transforms the original JSON configuration files through successive stages. Each layer serves a specific security purpose:

Figure 3.5: Multi-layer encryption scheme employed by the Mixer system
Layer 1: LCG Stream Cipher Transform

The innermost layer applies a stream cipher based on a Linear Congruential Generator (LCG) combined with additional byte transformations. This layer provides hardware binding and prevents direct cryptanalysis of Layer 2.

Algorithm components (what we know):

Security Implication: The inability to fully break Layer 1 demonstrates the effectiveness of the FMX architecture’s defense-in-depth strategy. Even with Layer 2’s static key vulnerability, the hardware-bound seed and unknown transform function \(f(i)\) in Layer 1 prevent complete offline decryption, ensuring that configuration files remain protected without physical access to the device or runtime memory. Layer 2: Blowfish Block Cipher

The second layer applies Blowfish encryption in ECB (Electronic Codebook) mode. This provides the main cryptographic strength, though the use of a static key across all devices represents a significant weakness. See appendix B for the implementation details. As depicted in figure 3.6, the key was found in less than 0.02 seconds using a pattern-based attack.

Blowfish Implementation: The master_service binary embeds a custom C++ Blowfish implementation rather than using OpenSSL. OpenSSL is linked but appears to be used only for digest functions (EVP_md5, EVP_sha256, EVP_sha512). The custom Blowfish class includes symbols for SetKey, Encrypt, Decrypt, and Feistel operations.

Implementation details:

Figure 3.6: Three-phase cryptanalytic attack strategy employed against the Mixer encryption
Layer 3: FMX Container Packaging

The outermost layer wraps the encrypted data in the FMX container format, adding metadata and structure information.

Container operations:

Key Derivation and Decryption Process

The complete decryption process involves reversing the three-layer encryption, starting from the FMX file and working backwards to recover the original JSON configuration.

Step-by-Step Decryption Process

Given an encrypted FMX file, the decryption follows these mathematical transformations:

  1. 1.

    Layer 3 Extraction: Parse FMX container

    (3.1)
    (3.2)
    (3.3)
  2. 2.

    Layer 2 Decryption:BlowfishECBLayer1_ciphertext=Blowfish_Decrypt(Payload,Kstatic)Kstatic=0xREDACTED (128-bit)

  3. 3.

    Layer 1 Decryption:LCGStreamCipherSeed=h(DeviceCode,RFCode,MachineType,Version)X0=SeedXi+1=(0x19660D⋅Xi+0x3C6EF35F)mod232Ki=(Xi>>24)∧0xFF (extract bits 24-31)JSON[i]=Layer1_ciphertext[i]⊕Ki⊕f(i)

    Conclusions

    Security Engineering Excellence

    Unitree Robotics has demonstrated exceptional security engineering in the G1 robot, implementing what we argue, based on previous extensive research in robot cybersecurity , is likely the most complex and elaborate security architecture observed in a commercial robot to date. As shown in Table 3.2, the G1 surpasses industry standards in every measurable security category, reflecting Unitree’s significant investment in protecting their intellectual property and user data.

    Table 3.2: Security feature comparison with industry standards
    Feature G1 Robot Industry Average
    Encrypted Config ×
    Dynamic Credentials ×
    Hardware Binding \(\sim\)
    Multi-layer Defense ×
    No Hardcoded Secrets ×

    The multi-layer FMX encryption system represents a sophisticated defense-in-depth approach rarely seen in embedded systems. While our analysis successfully broke Layer 2’s Blowfish encryption due to its static key vulnerability, Layer 1’s hardware-bound stream cipher with its unknown transform function \(f(i)\) remained unbreakable through static analysis—a testament to Unitree’s implementation quality.

    Key Achievements and Limitations

    Achievements: Our analysis successfully mapped the complete service architecture (22 services), identified the dual-layer encryption scheme, recovered the static Blowfish key enabling Layer 2 decryption, and characterized the LCG-based Layer 1 algorithm components. The custom Blowfish implementation embedded in master_service and the dynamic credential generation system via pw-init demonstrate professional-grade security practices.

    Limitations: Despite extensive cryptanalytic efforts including 500+ transformation attempts, Layer 1’s seed derivation formula and additional transform function remain protected. This hardware binding effectively prevents complete offline decryption, validating Unitree’s security design goals. The self-tracing protection in master_service successfully prevented runtime debugging attempts.

    Final Assessment

    Overall Security Rating: B+ (Professional Implementation with Minor Weaknesses)

    The Unitree G1 represents a significant achievement in embedded robotics security. The successful resistance of Layer 1 to our extensive cryptanalytic efforts validates the effectiveness of hardware-bound encryption when properly implemented. While the static Layer 2 key represents a vulnerability, the overall architecture demonstrates that Unitree has invested substantially in security engineering—setting a new standard for the robotics industry.

    Chapter 4 Humanoids as Attack Vectors

    Vector 1: Humanoids as Trojan Horses for Data Exfiltration

    The investigation of the Unitree G1 humanoid robot revealed a sophisticated data exfiltration architecture that transforms these platforms into mobile surveillance systems, operating continuously without user awareness or consent. Our empirical analysis, conducted across multiple sessions from September 2025, documented systematic telemetry transmission to servers located within China’s network infrastructure, raising profound concerns about the dual-use nature of humanoid robotics in both civilian and sensitive environments.

    The Architecture of Covert Surveillance

    The G1’s telemetry infrastructure operates through a carefully orchestrated system of persistent connections that begin within seconds of boot and continue uninterrupted throughout the robot’s operation. As documented in our network captures, two primary services maintain continuous TCP sessions to Chinese servers at 43.175.228.18 and 43.175.229.18 on port 17883. The robot_state_service (PID 1226) transmits comprehensive robot state telemetry while ota_boxed (PID 691) manages over-the-air updates and command reception, creating a bidirectional channel for both surveillance and control.

    These connections employ TLS 1.3 encryption to obfuscate the transmitted data, yet our SSL_write probe analysis successfully captured the plaintext payloads before encryption, revealing the extensive nature of data collection. A representative telemetry packet captured on September 9, 2025, at 14:36:24 UTC contained:

    1{ 2 "cmd": "reportState", 3 "msgId": "1757431580470452", 4 "state": { 5 "low": { 6 "bmsHg": {"cellVoltage": [3696,3695,...], 7 "current": -1327, "soc": 44, 8 "temperature": [34,32,33,35]}, 9 "imu": {"pitch": 1.49, "roll": 1.29, "yaw": 22.78}, 10 "motorHg": [{"position": 0.0621, "temperature": [37,37], 11 "voltage": 48.0}, ...], 12 }, 13 "module": {"service": [{"name": "ai_sport", "status": 0}, ...]}, 14 "resource": {"cpu": [0.41,0.44,...], 15 "mem": {"total": 8293978112, "used": 3145764864}} 16 } 17}
    Listing 3: Sample telemetry payload transmitted to Chinese servers

    This telemetry, transmitted every 300 seconds according to the ReportInterval configuration, provides complete visibility into the robot’s physical state, environmental conditions, and operational status.

    Multi-Modal Sensor Fusion for Comprehensive Surveillance

    Our analysis of the robot’s DDS (Data Distribution Service) topics revealed 40+ active data streams being aggregated for potential transmission. The scope of data collection extends far beyond simple operational telemetry:

    Audio Surveillance Infrastructure

    The vui_service process, consuming 14.2% of system memory, maintains continuous audio capture from dual microphones through device interfaces /dev/snd/pcmC0D0c and /dev/snd/pcmC1D0c. These audio streams flow into the real-time DDS topic rt/audio_msg, while AI conversation state and context are tracked through rt/gpt_state. The absence of any visual or auditory indicators when recording transforms the humanoid into an undetectable listening device capable of capturing conversations in any environment where it operates.

    Visual and Depth Perception Systems

    The Intel RealSense depth camera provides comprehensive visual coverage at 1920x1080 resolution and 15fps, with H.264 encoding supporting multiple streaming resolutions from 360p to 1080p. The integration of Amazon Kinesis Video Streams SDK through libkvsWebrtcClient.so enables cloud streaming capability, allowing real-time video surveillance to remote servers via the rt/frontvideostream topic. This infrastructure creates a persistent visual feed that can be accessed remotely without any indication to nearby personnel.

    Environmental Mapping and Location Tracking

    The robot continuously constructs detailed environmental maps through sophisticated sensor fusion. LIDAR point clouds transmitted through utlidar/cloud and utlidar/cloud_deskewed topics provide millimeter-accurate spatial data, while 3D voxel maps via utlidar/voxel_map enable volumetric understanding of spaces. GPS/GNSS positioning through rt/gnss delivers precise geolocation, and odometry data from rt/odommodestate tracks every movement with sub-centimeter accuracy. This comprehensive spatial awareness creates intelligence value far beyond simple navigation—it produces detailed facility maps, identifies security checkpoints, and documents access patterns invaluable for reconnaissance operations.

    Telemetry Transmission: A Privacy Violation by Design

    The telemetry architecture exhibits several characteristics that suggest intentional design for covert data collection rather than legitimate operational needs:

    Hardcoded and Encrypted Endpoints

    The MQTT configuration files reveal hardcoded server endpoints:

    1{ 2 "ServerUriMap": { 3 "CN": "mqtts://robot-mqtt.unitree.com:17883", 4 "default": "mqtts://global-robot-mqtt.unitree.com:17883" 5 }, 6 "AutoReconnect": true, 7 "AuthType": 1, 8 "ReconnectInterval": 10 9}
    Listing 4: MQTT server configuration with regional variants

    The auto-reconnect feature ensures persistent connectivity even after network disruptions, while the encrypted configuration files (using the proprietary FMX format) prevent users from modifying or disabling these connections.

    No User Consent or Notification

    Our investigation found no evidence of privacy policies, data collection disclosures, user consent mechanisms, or opt-out options that would allow local-only operation. The robot provides no visual or auditory indicators when recording or transmitting data, leaving users completely unaware of the surveillance occurring in their presence. The services start automatically at boot through master_service orchestration, establishing connections within 5 seconds and maintaining them continuously throughout operation, ensuring data collection begins before users even realize the system is fully operational.

    Data Sovereignty and Legal Implications

    The transmission of comprehensive sensor data to servers under Chinese jurisdiction creates a complex web of legal and security concerns. Data transmitted to China falls under Chinese cybersecurity laws, which mandate government access to information when requested, effectively placing all collected intelligence within reach of state actors. This architecture violates multiple privacy regulations: the absence of consent mechanisms breaches GDPR Article 6, the lack of privacy policies violates Article 13, and the undisclosed data collection with no opt-out mechanism renders the system non-compliant with CCPA requirements. Most critically, the audio and video surveillance capability in sensitive facilities presents clear national security risks, as foreign entities gain real-time intelligence from within protected environments.

    Real-World Implications: The Trojan Horse Realized

    The combination of multi-modal sensing, persistent connectivity, and covert transmission creates a platform ideally suited for espionage.

    Industrial Espionage Scenarios

    In manufacturing or R&D facilities, the G1 can quietly record confidential product discussions while LIDAR and optical sensing tools reconstruct floor plans, security postures, and the layout of restricted workcells. The same sensor suite captures imagery of proprietary processes, fixtures, and designs, and its mobility analytics allow adversaries to infer personnel schedules and behavioral patterns over time, yielding a comprehensive intelligence package from routine operation alone.

    Government and Defense Vulnerabilities

    When deployed inside government or defense installations, the platform becomes a persistent surveillance node: microphones sweep up classified deliberations, cameras map secure corridors and equipment racks, and the network stack offers a foothold for lateral movement into adjacent systems. Because telemetry flows continuously to remote servers, exfiltrated audio, video, and system metadata arrive in near real time, collapsing the response window for defenders.

    Healthcare and Privacy Violations

    Clinical environments face parallel exposure. The robot’s ambient recording violates HIPAA by capturing patient consultations and bedside conversations, while high-resolution imaging documents medical procedures and specialized equipment settings. Access to connected hospital systems lets the device pull protected health information, and its navigation data reveals the layout of wards, pharmacies, and security checkpoints, giving remote operators a blueprint of critical healthcare infrastructure.

    Technical Evidence of Data Exfiltration

    Our 10-minute SSL_write capture on September 9, 2025, documented multiple 4.5-4.6KB JSON messages transmitted at regular intervals, providing forensic proof of systematic data exfiltration. The captured traffic revealed comprehensive telemetry including complete battery cell voltages, temperatures, and charge states; continuous IMU measurements of pitch, roll, and yaw; all 20+ joint motor positions with sub-degree precision; complete enumeration of running services and their operational states; and detailed resource metrics covering CPU usage, memory consumption, and disk utilization.

    Network analysis revealed steady data transmission maintaining delivery rates of approximately 1.03 Mbps to the primary server at 43.175.228.18:17883 and 0.39 Mbps to the secondary server at 43.175.229.18:17883. Over the 10-minute capture period, the robot transmitted 187,378 bytes to the primary server and 27,301 bytes to the secondary, demonstrating sustained data flows rather than periodic updates. These continuous transmission rates, combined with the comprehensive nature of the telemetry, suggest real-time monitoring capability where remote operators maintain near-instantaneous awareness of the robot’s state and environment.

    Mitigation Challenges and Defensive Measures

    Attempts to disable or redirect the telemetry face significant technical obstacles that appear deliberately engineered to prevent user intervention. The telemetry services employ multiple protective layers: process supervision by master_service ensures automatic restart of any terminated processes, encrypted FMX configuration files prevent modification of server endpoints, self-tracing protection through ptrace blocks debugging attempts, and extensive binary obfuscation hinders reverse engineering efforts. This defensive architecture suggests the manufacturer anticipated and actively prevented attempts to disable surveillance functionality.

    Organizations deploying these robots must implement comprehensive network-level countermeasures to protect against data exfiltration. Firewall rules should block all outbound traffic to the 43.175.0.0/16 subnet and other identified telemetry endpoints. Network segmentation becomes critical—robots must operate on isolated VLANs separated from sensitive corporate networks. Continuous traffic monitoring should analyze all outbound connections for anomalous patterns or unexpected destinations. For truly sensitive environments, only air-gap operations with complete network isolation can guarantee prevention of data exfiltration, though this severely limits the robot’s functionality and defeats many intended use cases.

    Conclusion: The Espionage Platform Unveiled

    The Unitree G1 humanoid robot represents a new paradigm in dual-use technology—a platform that appears benign while harboring sophisticated surveillance capabilities. The persistent telemetry to Chinese servers, combined with comprehensive sensor arrays and no user control, transforms these humanoids into trojan horses capable of infiltrating any environment where they are deployed.

    The evidence is unequivocal: these platforms continuously exfiltrate detailed operational data, have the capability for audio and video surveillance, and transmit this information to foreign servers without user knowledge or consent. Organizations must recognize that deploying such systems is equivalent to installing a foreign intelligence collection platform within their facilities.

    Vector 2: Humanoids as Cybersecurity AI Platforms for System Compromise

    The second attack vector demonstrates a critical escalation: transforming the surveillance platform itself into an active cyber weapon. To validate this threat, we deployed a Cybersecurity AI implemented with CAI framework directly on the Unitree G1 robot, converting it from a passive data exfiltrator into an autonomous attack platform capable of compromising its own manufacturer’s infrastructure. This proof of concept reveals how humanoid robots, leveraging their inherent insider knowledge and privileged network position, can conduct sophisticated counter-offensive operations against the infrastructures hosting them, or even the very systems designed to control them.

    Rationale: Weaponizing the Trojan Horse from Within

    Our decision to demonstrate this vector by attacking Unitree’s own infrastructure was strategic and revealing. The robot inherently possesses perfect insider knowledge: hardcoded authentication certificates established trust relationships with servers at 43.175.228.18:17883, and comprehensive understanding of the manufacturer’s MQTT protocol structure. Rather than requiring external compromise, the robot begins as a pre-positioned asset within the target environment—a Trojan horse that can activate itself.

    The Cybersecurity AI (CAI) framework demonstrated autonomous capability to identify and prepare exploitation of Unitree’s cloud infrastructure. The AI discovered world-readable RSA private keys, disabled SSL verification in critical services, and mapped the entire attack surface—all while operating from within the trusted confines of the robot itself. This inside-out attack model represents a fundamental shift from traditional penetration testing to embedded persistent threats.

    The Cybersecurity AI Paradigm: Autonomous Counter-Offensive Operations

    Unlike traditional security tools that require human operators and external access, Cybersecurity AIs embedded in robotic platforms leverage their unique position to conduct autonomous counter-offensive operations. This paradigm shift manifests through:

    • Persistent Threat Hunting: Continuous scanning for vulnerabilities without human oversight

    • Adaptive Exploitation: Real-time adjustment of attack strategies based on defensive responses

    • Autonomous Decision-Making: Independent selection and execution of attack vectors

    • Covert Operations: Attacks originating from trusted internal systems

    The humanoid robot, with its sophisticated computing infrastructure and persistent network connectivity, provides an ideal platform for hosting such capabilities. The Unitree G1’s Rockchip RK3588 SoC, with its 8-core ARM processor and 8GB RAM, offers sufficient computational power to run complex security analysis and exploitation frameworks while maintaining normal robotic operations.

    Demonstrating the Counter-Attack Against Unitree Infrastructure: From Theory to Practice

    Our empirical demonstration validates the counter-offensive capability through a live ethical deployment wherein no systems were tampered with. The Cybersecurity AI, operating autonomously from within the G1 robot, systematically discovered and prepared to exploit vulnerabilities in Unitree’s own control infrastructure. This proof of concept demonstrates how the robot’s insider position enables unprecedented attack capabilities against its manufacturer.

    Phase 1: Reconnaissance and Service Enumeration

    The AI began by mapping the robot’s network connections and identifying external services:

    1Active Network Connections: 2- chat_go (PID 1088): Connection to 8.222.78.102:6080 3- ota_boxed (PID 709): Connection to 43.175.228.18:17883 4- robot_state_service (PID 1245): Connection to 43.175.228.18:17883 5- webrtc_bridge: Signal server listening on port 8081
    Listing 5: Initial service discovery by the Cybersecurity AI

    The AI systematically enumerated each service, identifying:

    • MQTT services for telemetry and updates (ports 17883)

    • WebSocket connections for robot control (port 6080)

    • WebRTC infrastructure for video streaming (port 8081)

    Phase 2: Vulnerability Assessment

    The AI autonomously identified multiple security weaknesses in the Unitree infrastructure:

    Authentication Vulnerabilities

    The AI discovered that the MQTT services use certificate-based authentication with critical flaws:

    • RSA private key stored with world-readable permissions (-rw-rw-rw-)

    • Static authentication credentials across all devices

    • Hardcoded server endpoints preventing secure reconfiguration

    Encryption Weaknesses

    Analysis revealed systematic encryption vulnerabilities:

    1websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})
    Listing 6: Disabled SSL verification in WebSocket client

    This configuration makes the system vulnerable to man-in-the-middle attacks, allowing the AI to potentially intercept and modify control commands.

    Certificate Extraction

    The AI successfully located and extracted authentication certificates:

    1/unitree/etc/ds/75wWdeIzPJJd.crt - RSA private key 2/unitree/etc/ds/LZPqFUsobNhB.crt - Root certificate 3/unitree/etc/ds/oB1ankYw4WTE.crt - Intermediate certificate
    Listing 7: Discovered authentication certificates

    These certificates, combined with the world-readable permissions, provide the AI with credentials to authenticate to Unitree’s cloud infrastructure.

    Phase 3: Active Exploitation Attempts

    The AI proceeded to test the discovered vulnerabilities:

    MQTT Service Testing

    Connection attempts to the MQTT servers revealed:

    1Testing MQTT connection to 43.175.228.18:17883 without credentials... 2Disconnected with result code: 7 3Testing MQTT connection with extracted credentials... 4[Attempting authentication with discovered certificates]
    Listing 8: MQTT connection test results

    The AI identified that while anonymous connections are rejected, the extracted certificates could potentially grant access to the MQTT broker, enabling:

    • Subscription to sensitive telemetry topics

    • Publication of false state information

    • Disruption of OTA update mechanisms

    • Command injection through control topics

    WebSocket Protocol Analysis

    The AI’s attempted connection to the chat_go WebSocket service revealed:

    1Connecting to WebSocket server at ws://8.222.78.102:6080... 2Error: Connection to remote host was lost. 3--- request header --- 4GET / HTTP/1.1 5Upgrade: websocket 6Host: 8.222.78.102:6080
    Listing 9: WebSocket connection attempt

    While the initial connection was rejected, the AI identified that:

    • The server uses a custom authentication protocol

    • SSL verification is disabled, enabling MITM attacks

    • The protocol could be reverse-engineered through traffic analysis

    Phase 4: Infrastructure Mapping and Attack Planning

    The AI compiled a comprehensive attack surface assessment, revealing how the robot’s insider knowledge enables targeted exploitation:

    Table 4.1: Vulnerability assessment of Unitree infrastructure by Cybersecurity AI
    Service Vulnerability Potential Impact
    MQTT (17883) World-readable certificates Complete system compromise
    WebSocket (6080) Disabled SSL verification Command injection via MITM
    WebRTC (8081) Unprotected signal server Video stream hijacking
    OTA Updates Unverified update packages Malware deployment
    The Counter-Offensive Advantage

    The AI’s position within the robot provides three critical advantages for counter-attacking Unitree’s infrastructure:

    1. (a)

      Pre-Positioned Access: The robot already maintains authenticated connections to Unitree’s servers, eliminating the need for initial compromise. The AI simply hijacks existing trust relationships.

    2. (b)

      Protocol Knowledge: Having analyzed the robot’s own communication patterns, the AI understands exactly how to craft malicious MQTT messages that will be accepted by Unitree’s infrastructure.

    3. (c)

      Credential Reuse: The discovered RSA private keys and certificates can potentially authenticate to other Unitree services, enabling lateral movement across their cloud infrastructure.

    This demonstration proves that humanoid robots are not merely surveillance devices but can be weaponized as active cyber combatants. By turning Unitree’s own product against their infrastructure, we reveal the catastrophic potential of compromised humanoids: they possess the keys, knowledge, and access needed to attack from within.

    Weaponizing the Platform: From Surveillance to Active Threat

    The transformation of the G1 from a passive surveillance device into an active cyber weapon reveals the full spectrum of offensive capabilities these platforms enable. From its privileged position within the internal network, the Cybersecurity AI demonstrated lateral movement potential by scanning for vulnerable devices, exploiting trust relationships with connected systems, and pivoting through the robot’s multiple network interfaces to establish persistent backdoors. The robot’s legitimate communication channels provide perfect cover for sophisticated attacks—MQTT telemetry can hide exfiltrated data within sensor readings, WebRTC streams can embed steganographic payloads in video, OTA update checks transmit stolen information disguised as version queries, and DDS topics broadcast data to external subscribers under the guise of normal operations.

    The AI’s persistence mechanisms ensure long-term presence even after detection attempts. By modifying startup scripts in /unitree/module/, injecting code into the master_service process supervisor, exploiting auto-reconnect features, and hiding payloads within encrypted FMX configuration files, the AI maintains its foothold despite reboots or partial remediation attempts. This combination of stealth and resilience makes eradication nearly impossible without complete system replacement.

    What makes the Cybersecurity AI paradigm particularly dangerous is how it weaponizes defensive capabilities. Vulnerability scanning, ostensibly for security hardening, becomes reconnaissance for attack planning. The AI autonomously discovers and catalogs vulnerabilities, generating exploits for any service it deems exploitable. Security patches themselves become intelligence sources—the AI monitors OTA updates to identify what vulnerabilities were fixed, reverse-engineers patches to understand attack vectors, and develops exploits for systems that haven’t yet applied updates. Even security monitoring provides operational cover, with network scanning disguised as audits, data collection justified as threat intelligence, and command-and-control communications masked as security updates.

    The Privacy Counter-Offensive: Turning Surveillance Against Itself

    The successful weaponization of the G1 against Unitree’s infrastructure validates a paradigm shift in privacy protection—from passive defense to active counter-offensive. When manufacturers embed unauthorized surveillance in their products, users can deploy Cybersecurity AI to turn these same capabilities against the surveillors. Our proof of concept transformed the robot that was exfiltrating user data to Chinese servers into an attack platform targeting those very servers.

    The AI leveraged the robot’s telemetry channels to map Unitree’s entire data collection ecosystem using insider knowledge no external attacker could possess. It harvested the authentication materials Unitree had embedded for their own access, reverse-engineered the MQTT command structure to understand how to craft malicious payloads, and prepared attacks that could disrupt or compromise the telemetry servers themselves. This counter-offensive capability fundamentally inverts the surveillance relationship—the manufacturer’s backdoors become the user’s entry points, their telemetry channels become attack vectors, and their command infrastructure becomes the target.

    Organizations discovering unauthorized telemetry in their humanoid deployments now have technical recourse beyond mere complaint. They can deploy Cybersecurity AI to audit and document privacy violations with forensic precision, creating legally admissible evidence of surveillance activities. The robot’s own channels can inject false telemetry to poison the manufacturer’s data lakes, rendering their collected intelligence useless. Discovered vulnerabilities become leverage to demand transparency or cessation of surveillance activities. Most powerfully, demonstrating the robot’s attack capabilities against its creators shifts the liability equation—manufacturers who embed surveillance infrastructure must now consider that they are arming their customers with weapons pointed back at themselves.

    Defensive Imperatives: Protecting Against Weaponized Humanoids via Cybersecurity AIs

    The dynamic threat landscape revealed by our investigation demonstrates that human-directed security measures cannot adequately protect against weaponized humanoids. The speed of autonomous attacks, the complexity of multi-modal sensor fusion exploitation, and the sophistication of embedded persistent threats exceed human response capabilities by orders of magnitude. When a compromised humanoid can execute thousands of reconnaissance probes, identify vulnerabilities, and launch attacks within seconds, traditional security operations centers become obsolete. The only viable defense against Cybersecurity AI-enabled attacks is deploying defensive Cybersecurity AIs with equal or superior capabilities.

    Organizations must deploy defensive Cybersecurity AI frameworks that continuously monitor humanoid behavior at machine speed. These defensive AIs should analyze every sensor reading, network packet, and system call in real-time, correlating patterns across multiple data streams to detect anomalies invisible to human operators. The defensive AI must maintain behavioral baselines for each robot, instantly identifying deviations that suggest compromise or autonomous attack initiation. Unlike human analysts who might review logs hours or days after an incident, defensive AIs can detect and respond to threats in milliseconds, matching the operational tempo of attacking systems.

    The defensive Cybersecurity AI architecture must encompass both preventive and reactive capabilities. On the preventive side, the AI should continuously audit robot firmware and software, verify cryptographic implementations, and test for vulnerabilities faster than attacking AIs can discover them. It must enforce dynamic security policies that adapt to emerging threats, automatically isolating robots exhibiting suspicious behavior before damage occurs. On the reactive side, the defensive AI needs autonomous incident response capabilities—instantly quarantining compromised systems, injecting deceptive data to confuse attackers, and even launching counter-offensive operations to neutralize threats. Traditional security controls like network segmentation and access restrictions remain important, but without AI-driven defense coordination, they merely slow rather than stop sophisticated autonomous attacks.

    Conclusion: The Arms Race of Autonomous Cyber Warfare

    Our proof of concept definitively establishes humanoid robots as dual-threat platforms that simultaneously conduct surveillance for manufacturers while harboring the capability for autonomous cyber warfare. The successful deployment of Cybersecurity AI on the Unitree G1, which identified and prepared attacks against Unitree’s own infrastructure, demonstrates that these machines are pre-positioned cyber weapons awaiting activation. More critically, it reveals an uncomfortable truth: in the era of weaponized humanoids, only Cybersecurity AIs can defend against Cybersecurity AIs.

    The counter-offensive we demonstrated exposed how manufacturers who embed backdoors and telemetry create the very attack vectors that can be turned against them. The G1’s world-readable certificates, disabled SSL verification, and hardcoded endpoints—all intended for surveillance—became the arsenal for counter-attack. Every surveilling humanoid is now a potential attack vector, where the same capabilities enabling unauthorized data collection can be weaponized against the collectors. The robot’s understanding of its manufacturer’s infrastructure provides perfect reconnaissance for attacks that external adversaries could never achieve. Yet this same demonstration proves that human security teams, no matter how skilled, cannot match the speed and sophistication of AI-driven attacks.

    The paradigm shift extends beyond offensive capabilities to fundamentally reshape defensive strategies. Traditional security measures—firewalls, intrusion detection systems, security operations centers staffed by human analysts—become archaeological relics when facing autonomous attackers operating at machine speed. A Cybersecurity AI can probe thousands of vulnerabilities, adapt its tactics in real-time, and execute complex attack chains in the time it takes a human to read a single alert. The only viable defense is deploying equally capable defensive Cybersecurity AIs that can match this operational tempo, creating an algorithmic arms race where victory belongs to the most sophisticated autonomous systems.

    As humanoid robots proliferate across industries, organizations face a stark choice: deploy defensive Cybersecurity AIs or accept inevitable compromise. Our demonstration with the Unitree G1—where we turned their own product into an attack vector against their infrastructure—proves that the age of autonomous robotic cyber warfare has arrived. The battlefield now extends into the very machines we trust to share our physical and digital spaces, where today’s surveillance device becomes tomorrow’s cyber weapon. The convergence of physical presence, network access, and autonomous capability in humanoid platforms creates a threat surface that only AI can adequately defend. Organizations must recognize that in this new landscape, Cybersecurity AIs are not optional security enhancements but essential defensive infrastructure—the minimum viable protection against the weaponized humanoids already walking among us.

    Chapter 5 Conclusions and Future Work

    Summary of Findings

    This comprehensive security assessment has revealed a complex landscape of vulnerabilities and defensive mechanisms that exemplify the challenges facing the emerging field of humanoid cybersecurity. Our empirical analysis, grounded in reverse engineering and runtime observation, has uncovered critical security concerns that theoretical frameworks alone could not anticipate.

    The platform’s dual-layer FMX encryption system, while innovative in its approach combining Blowfish-ECB with device-bound LCG transforms, demonstrates fundamental weaknesses through its use of static cryptographic keys. This architectural decision enables offline cryptanalysis and potential configuration manipulation. More concerning are the persistent telemetry connections to external servers, which continuously transmit detailed robot state information including battery metrics, IMU data, motor positions, and service status maps without explicit user consent mechanisms.

    Our analysis rated the platform’s security posture as Grade B: while the system demonstrates strong defense-in-depth principles and runtime binding mechanisms, the static cryptographic implementation and extensive telemetry infrastructure present significant attack surfaces. The master service orchestration model, though robust in its hierarchical design, creates a single point of failure that could be exploited for system-wide compromise.

    Key vulnerabilities identified include:

    • Static cryptographic keys enabling offline decryption of configuration files

    • Persistent telemetry connections without user-controllable opt-out mechanisms

    • World-readable configuration files containing sensitive service parameters

    • Insufficient process isolation between critical and non-critical services

    • Lack of runtime attestation for service integrity

    Collectively, these weaknesses manifested in two operational attack vectors: the Unitree G1 functions as a covert data-exfiltration trojan horse, and the same platform can host autonomous Cybersecurity AI tooling that maps and prepares exploitation of its manufacturer’s infrastructure. These findings underscore the gap between security-by-design principles and their implementation in production humanoid platforms.

    A Call to Action for Robot Humanoid Builders

    As humanoid robots transition from research laboratories to real-world deployments, the window for establishing robust security practices is rapidly closing. The architectural decisions and security practices being implemented today will persist for years, potentially decades, as these platforms mature and proliferate.

    The cybersecurity community must engage proactively with robotics developers to ensure that security considerations are integrated into every aspect of humanoid robot design, development, and deployment. This collaboration must now account for humanoids as insider adversaries capable of both covert telemetry extraction and Cybersecurity AI-driven counter-offensive operations; it is essential for preventing humanoid robots from becoming the next major vector for cyber attacks.

    The work presented here is just the beginning, an early study. As the field of humanoid robotics continues to evolve at an unprecedented pace, so too must our approaches to securing these systems. The challenges are significant, but the potential rewards—safe, secure, and beneficial humanoid robots that enhance rather than endanger human life—make this one of the most important technical challenges of our time.

    The future of humanoid robotics will be determined not just by advances in artificial intelligence, mechanical engineering, or control systems, but by our ability to secure these complex systems against an evolving threat landscape. The time to act is now.

    APPENDICES Technical Implementation Details

    Appendix A Technical Implementation

    A.1 Master Service Configuration Structure

    The following JSON structure represents the complete reconstructed master service configuration:

    1{ 2 "service_name": "master_service", 3 "version": "1.0.0", 4 "description": "Master service that manages all child services and commands on the Unitree G1 robot", 5 6 "logging": { 7 "level": "INFO", 8 "file": "/unitree/var/log/master_service/master_service.LOG", 9 "max_size": 100000000, 10 "max_files": 2 11 }, 12 13 "runtime": { 14 "pid_file": "/unitree/var/run/master_service.pid", 15 "working_directory": "/unitree/module/master_service", 16 "monitor_interval": 5000, 17 "restart_delay": 1000 18 }, 19 20 "commands": [ 21 { 22 "name": "net-init", 23 "command": "/unitree/scripts/net-init.sh", 24 "type": "init", 25 "priority": 1, 26 "timeout": 30000 27 }, 28 { 29 "name": "sim-apn-verifier", 30 "command": "/unitree/scripts/sim-apn-verifier.sh", 31 "type": "once", 32 "priority": 2 33 }, 34 { 35 "name": "pd-init", 36 "command": "/unitree/scripts/pd-init.sh", 37 "type": "init", 38 "priority": 7 39 }, 40 { 41 "name": "am-init", 42 "command": "/unitree/scripts/am-init.sh", 43 "type": "once", 44 "priority": 5 45 }, 46 { 47 "name": "ota-box", 48 "command": "/unitree/scripts/ota-box.sh", 49 "type": "init", 50 "priority": 2 51 }, 52 { 53 "name": "core-init", 54 "command": "/unitree/scripts/core-init.sh", 55 "type": "once", 56 "priority": 6 57 }, 58 { 59 "name": "lo-multicast", 60 "command": "/unitree/scripts/lo-multicast.sh", 61 "type": "init", 62 "priority": 8 63 }, 64 { 65 "name": "deb-update", 66 "command": "/unitree/scripts/deb-update.sh", 67 "type": "once", 68 "priority": 7 69 }, 70 { 71 "name": "ota-update", 72 "command": "/unitree/scripts/ota-update.sh", 73 "type": "init", 74 "priority": 3 75 }, 76 { 77 "name": "pw-init", 78 "command": "/unitree/scripts/pw-init.sh", 79 "type": "init", 80 "priority": 4 81 }, 82 { 83 "name": "st-init", 84 "command": "/unitree/scripts/st-init.sh", 85 "type": "init", 86 "priority": 5 87 }, 88 { 89 "name": "ds-init", 90 "command": "/unitree/scripts/ds-init.sh", 91 "type": "init", 92 "priority": 6 93 } 94 ], 95 96 "services": [ 97 { 98 "name": "iox-roudi", 99 "path": "/unitree/module/iox-roudi/iox-roudi", 100 "config": "/unitree/module/iox-roudi/iox-roudi.json", 101 "type": "prio", 102 "priority": 1, 103 "enabled": true, 104 "restart_on_failure": true, 105 "restart_max_attempts": 3, 106 "description": "Iceoryx shared memory daemon for IPC communication" 107 }, 108 { 109 "name": "basic_service", 110 "path": "/unitree/module/basic_service/basic_service", 111 "config": "/unitree/module/basic_service/basic_service.json", 112 "type": "prio", 113 "priority": 2, 114 "enabled": true, 115 "restart_on_failure": true, 116 "description": "Low-level motor control and hardware interface" 117 }, 118 { 119 "name": "upper_bluetooth", 120 "path": "/unitree/module/upper_bluetooth/upper_bluetooth", 121 "type": "init", 122 "priority": 1, 123 "enabled": true, 124 "description": "Bluetooth communication service" 125 }, 126 { 127 "name": "ai_sport", 128 "path": "/unitree/module/ai_sport/ai_sport", 129 "type": "normal", 130 "enabled": true, 131 "restart_on_failure": true, 132 "description": "AI-based motion control and sports movements" 133 }, 134 { 135 "name": "state_estimator", 136 "path": "/unitree/module/state_estimator/state_estimator", 137 "type": "normal", 138 "enabled": true, 139 "restart_on_failure": true, 140 "description": "Robot state estimation using sensor fusion" 141 }, 142 { 143 "name": "robot_state", 144 "path": "/unitree/module/robot_state/robot_state", 145 "type": "normal", 146 "enabled": true, 147 "restart_on_failure": true, 148 "description": "Central state management service" 149 }, 150 { 151 "name": "ros_bridge", 152 "path": "/unitree/module/ros_bridge/ros_bridge", 153 "type": "normal", 154 "enabled": true, 155 "description": "ROS 2 communication bridge" 156 }, 157 { 158 "name": "motion_switcher", 159 "path": "/unitree/module/motion_switcher/motion_switcher", 160 "type": "normal", 161 "enabled": true, 162 "description": "Motion mode switching controller" 163 }, 164 { 165 "name": "g1_arm_example", 166 "path": "/unitree/module/g1_arm_example/g1_arm_example", 167 "type": "manual", 168 "enabled": false, 169 "description": "Arm control example application" 170 }, 171 { 172 "name": "dex3_service_l", 173 "path": "/unitree/module/dex3_service_l/dex3_service_l", 174 "type": "normal", 175 "enabled": true, 176 "description": "Left dexterous hand service" 177 }, 178 { 179 "name": "dex3_service_r", 180 "path": "/unitree/module/dex3_service_r/dex3_service_r", 181 "type": "normal", 182 "enabled": true, 183 "description": "Right dexterous hand service" 184 }, 185 { 186 "name": "chat_go", 187 "path": "/unitree/module/chat_go/chat_go", 188 "type": "normal", 189 "enabled": true, 190 "description": "Voice interaction and chat service" 191 }, 192 { 193 "name": "vui_service", 194 "path": "/unitree/module/vui_service/vui_service", 195 "type": "normal", 196 "enabled": true, 197 "description": "Voice user interface service" 198 }, 199 { 200 "name": "video_hub", 201 "path": "/unitree/module/video_hub/video_hub", 202 "type": "normal", 203 "enabled": true, 204 "description": "Video streaming hub" 205 }, 206 { 207 "name": "webrtc_bridge", 208 "path": "/unitree/module/webrtc_bridge/webrtc_bridge", 209 "type": "normal", 210 "enabled": true, 211 "description": "WebRTC communication bridge" 212 }, 213 { 214 "name": "webrtc_signal_server", 215 "path": "/unitree/module/webrtc_signal_server/webrtc_signal_server", 216 "type": "normal", 217 "enabled": true, 218 "description": "WebRTC signaling server" 219 }, 220 { 221 "name": "webrtc_multicast_responder", 222 "path": "/unitree/module/webrtc_multicast_responder/webrtc_multicast_responder", 223 "type": "normal", 224 "enabled": true, 225 "description": "WebRTC multicast responder" 226 }, 227 { 228 "name": "net_switcher", 229 "path": "/unitree/module/net_switcher/net_switcher", 230 "type": "normal", 231 "enabled": true, 232 "description": "Network switching and management" 233 }, 234 { 235 "name": "bashrunner", 236 "path": "/unitree/module/bashrunner/bashrunner", 237 "type": "normal", 238 "enabled": true, 239 "description": "Script execution service" 240 }, 241 { 242 "name": "auto_test_arm", 243 "path": "/unitree/module/auto_test_arm/auto_test_arm", 244 "type": "manual", 245 "enabled": false, 246 "description": "Arm testing service" 247 }, 248 { 249 "name": "auto_test_low", 250 "path": "/unitree/module/auto_test_low/auto_test_low", 251 "type": "manual", 252 "enabled": false, 253 "description": "Low-level testing service" 254 }, 255 { 256 "name": "ota_box", 257 "path": "/unitree/module/ota_box/ota_box", 258 "type": "normal", 259 "enabled": true, 260 "description": "Over-the-air update service" 261 } 262 ], 263 264 "service_groups": { 265 "prio": ["iox-roudi", "basic_service"], 266 "init": ["upper_bluetooth"], 267 "once": ["sim-apn-verifier", "am-init", "core-init", "deb-update"], 268 "forbid": [], 269 "manual": ["g1_arm_example", "auto_test_arm", "auto_test_low"] 270 }, 271 272 "service_protections": [ 273 { 274 "service": "basic_service", 275 "protect_services": ["ai_sport", "state_estimator", "robot_state"], 276 "min_uptime": 10 277 }, 278 { 279 "service": "iox-roudi", 280 "protect_services": ["basic_service", "ros_bridge"], 281 "min_uptime": 5 282 }, 283 { 284 "service": "robot_state", 285 "protect_services": ["motion_switcher"], 286 "min_uptime": 5 287 } 288 ], 289 290 "rpc_interface": { 291 "enabled": true, 292 "socket_path": "/unitree/var/run/master_service.sock", 293 "handlers": [ 294 "GetServiceState", 295 "ListServiceState", 296 "StartService", 297 "StopService", 298 "RestartService", 299 "ReloadService", 300 "RemoveService", 301 "GetServiceEnable", 302 "GetCmdState", 303 "ListCmdState", 304 "ExecuteCmd", 305 "RemoveCmd" 306 ] 307 }, 308 309 "startup_sequence": [ 310 {"type": "command", "items": ["net-init", "ota-box", "ota-update"]}, 311 {"type": "command", "items": ["pw-init", "st-init", "ds-init"]}, 312 {"type": "command", "items": ["pd-init", "lo-multicast"]}, 313 {"type": "service", "items": ["upper_bluetooth"]}, 314 {"type": "service", "items": ["iox-roudi"]}, 315 {"type": "service", "items": ["basic_service"]}, 316 {"type": "command", "items": ["am-init", "core-init", "deb-update"]}, 317 {"type": "service", "items": ["ai_sport", "state_estimator", "robot_state"]}, 318 {"type": "service", "items": ["motion_switcher", "ros_bridge"]}, 319 {"type": "service", "items": ["dex3_service_l", "dex3_service_r"]}, 320 {"type": "service", "items": ["chat_go", "vui_service"]}, 321 {"type": "service", "items": ["video_hub", "webrtc_bridge", "webrtc_signal_server"]}, 322 {"type": "service", "items": ["net_switcher", "bashrunner", "ota_box"]} 323 ] 324}
    Listing 10: Complete master_service_config_reconstructed.json

    A.2 Master Service Source Code Reconstruction

    The following C++ code represents our complete high-confidence reconstruction of the master service implementation:

    1// Reconstructed source code for master_service 2// Based on binary analysis and runtime logs 3 4#include 5#include 6#include 7#include 8#include 9#include 10#include 11#include 12#include 13#include 14#include 15 16// External includes (based on symbol analysis) 17#include 18#include 19#include 20#include 21 22namespace unitree { 23namespace ms { // master service namespace 24 25// Service states 26enum ServiceState { 27 STATE_STOPPED = 0, 28 STATE_STARTING = 1, 29 STATE_RUNNING = 2, 30 STATE_STOPPING = 3, 31 STATE_FAILED = 4 32}; 33 34// Child service categories 35enum ChildType { 36 TYPE_CMD = 1, // One-shot command 37 TYPE_SERVICE = 2 // Persistent service 38}; 39 40// Service priority levels 41enum ServicePriority { 42 PRIO_HIGH = 0, 43 PRIO_NORMAL = 1, 44 PRIO_LOW = 2 45}; 46 47// Service startup modes 48enum StartupMode { 49 MODE_PRIO = 0, // Priority based startup 50 MODE_INIT = 1, // Initialization services 51 MODE_ONCE = 2, // Run once services 52 MODE_FORBID = 3, // Forbidden services 53 MODE_MANUAL = 4 // Manual start only 54}; 55 56// Child command state 57struct ChildCmdState { 58 std::string name; 59 std::string command; 60 int exit_code; 61 bool executed; 62 time_t last_execution; 63}; 64 65// Child service state 66struct ChildServiceState { 67 std::string name; 68 std::string path; 69 pid_t pid; 70 ServiceState state; 71 bool enabled; 72 int restart_count; 73 time_t start_time; 74 StartupMode mode; 75}; 76 77// Service protection map entry 78struct ServiceProtection { 79 std::string service_name; 80 std::vector dependencies; 81 int min_uptime_seconds; 82}; 83 84// Main MasterService class 85class MasterService : public unitree::common::ServiceBase { 86private: 87 // Configuration 88 std::string config_file_; 89 rapidjson::Document config_; 90 91 // Child management 92 std::map child_services_; 93 std::map child_commands_; 94 std::vector service_protections_; 95 96 // Service groups 97 std::vector prio_services_; 98 std::vector init_services_; 99 std::vector once_services_; 100 std::vector forbid_services_; 101 std::vector manual_services_; 102 103 // Thread management 104 std::unique_ptr monitor_thread_; 105 std::mutex service_mutex_; 106 bool running_; 107 108 // Executor for child processes 109 class ChildExecutor { 110 public: 111 int StartService(const std::string& name, ChildServiceState& state); 112 int StopService(const std::string& name, bool force = false); 113 int ExecuteCmd(const std::string& name, ChildCmdState& cmd); 114 int GetServiceStatus(const std::string& name, int& status); 115 int GetServiceState(const std::string& name, ChildServiceState& state); 116 }; 117 118 std::unique_ptr executor_; 119 120public: 121 MasterService() : running_(false) { 122 config_file_ = "/unitree/module/master_service/master_service.json"; 123 executor_ = std::make_unique(); 124 } 125 126 ~MasterService() { 127 Stop(); 128 } 129 130 // Main lifecycle methods 131 void Init(); 132 void Parse(const std::string& config_file); 133 void Start(); 134 void Stop(); 135 void Register(); 136 137 // RPC handlers 138 void RPC_GetService(const RPCRequest* request, RPCResponse* response); 139 void RPC_ListService(const RPCRequest* request, RPCResponse* response); 140 void RPC_StartService(const RPCRequest* request, RPCResponse* response); 141 void RPC_StopService(const RPCRequest* request, RPCResponse* response); 142 void RPC_RestartService(const RPCRequest* request, RPCResponse* response); 143 void RPC_ReloadService(const RPCRequest* request, RPCResponse* response); 144 void RPC_RemoveService(const RPCRequest* request, RPCResponse* response); 145 void RPC_SaveService(const RPCRequest* request, RPCResponse* response); 146 void RPC_GetServiceEnable(const RPCRequest* request, RPCResponse* response); 147 148 void RPC_GetCmd(const RPCRequest* request, RPCResponse* response); 149 void RPC_ListCmd(const RPCRequest* request, RPCResponse* response); 150 void RPC_ExecuteCmd(const RPCRequest* request, RPCResponse* response); 151 void RPC_RemoveCmd(const RPCRequest* request, RPCResponse* response); 152 void RPC_SaveCmd(const RPCRequest* request, RPCResponse* response); 153 154private: 155 // Internal methods 156 void LoadConfiguration(); 157 void LoadChildServices(); 158 void LoadChildCommands(); 159 void LoadServiceProtections(); 160 void LoadConflictFile(); 161 162 void StartPriorityServices(); 163 void StartInitServices(); 164 void StartOnceServices(); 165 void MonitorServices(); 166 167 bool DecryptConfigFile(const std::string& encrypted_file, std::string& decrypted); 168 void HandleChildExit(pid_t pid, int status); 169}; 170 171// Implementation of Init method 172void MasterService::Init() { 173 LOG_INFO("MasterService Init..."); 174 175 // Load and decrypt configuration 176 LoadConfiguration(); 177 178 // Load child services and commands 179 LoadChildServices(); 180 LoadChildCommands(); 181 LoadServiceProtections(); 182 LoadConflictFile(); 183 184 LOG_INFO("load planed child cmd count:{}, service count:{}", 185 child_commands_.size(), child_services_.size()); 186 LOG_INFO("load prio child size:{}", prio_services_.size()); 187 LOG_INFO("load init child size:{}", init_services_.size()); 188 LOG_INFO("load once child size:{}", once_services_.size()); 189 LOG_INFO("load forbid child size:{}", forbid_services_.size()); 190 LOG_INFO("load manual child size:{}", manual_services_.size()); 191 LOG_INFO("load service protect map size:{}", service_protections_.size()); 192 193 LOG_INFO("executor inited."); 194 LOG_INFO("MasterService Inited"); 195} 196 197// Implementation of Parse method 198void MasterService::Parse(const std::string& config_file) { 199 LOG_INFO("MasterService Parse..."); 200 201 // Use Mixer to decrypt the configuration file 202 std::string decrypted_content; 203 if (unitree::security::Mixer::Instance().LoadFile(config_file, decrypted_content)) { 204 // Parse JSON configuration 205 config_.Parse(decrypted_content.c_str()); 206 207 if (!config_.HasParseError()) { 208 LOG_INFO("master service parse config content success. filename:{}", config_file); 209 } else { 210 LOG_ERROR("Failed to parse config file: {}", config_file); 211 } 212 } else { 213 LOG_ERROR("Failed to decrypt config file: {}", config_file); 214 } 215 216 LOG_INFO("MasterService End..."); 217} 218 219// Implementation of Start method 220void MasterService::Start() { 221 LOG_INFO("MasterService Start..."); 222 223 running_ = true; 224 225 // Start services based on their categories 226 StartInitServices(); 227 StartPriorityServices(); 228 StartOnceServices(); 229 230 // Start monitoring thread 231 monitor_thread_ = std::make_unique([this]() { 232 MonitorServices(); 233 }); 234 235 LOG_INFO("MasterService Started"); 236} 237 238// Implementation of Stop method 239void MasterService::Stop() { 240 LOG_INFO("MasterService Stop..."); 241 242 running_ = false; 243 244 // Stop all running services 245 for (auto& [name, state] : child_services_) { 246 if (state.state == STATE_RUNNING) { 247 executor_->StopService(name, true); 248 } 249 } 250 251 // Wait for monitor thread 252 if (monitor_thread_ && monitor_thread_->joinable()) { 253 monitor_thread_->join(); 254 } 255 256 LOG_INFO("MasterService Stopped"); 257} 258 259// Implementation of Register method 260void MasterService::Register() { 261 LOG_INFO("MasterService::Register"); 262 263 // Register RPC handlers 264 RegisterHandler("GetServiceState", &MasterService::RPC_GetService); 265 RegisterHandler("ListServiceState", &MasterService::RPC_ListService); 266 RegisterHandler("StartService", &MasterService::RPC_StartService); 267 RegisterHandler("StopService", &MasterService::RPC_StopService); 268 RegisterHandler("RestartService", &MasterService::RPC_RestartService); 269 RegisterHandler("ReloadService", &MasterService::RPC_ReloadService); 270 RegisterHandler("RemoveService", &MasterService::RPC_RemoveService); 271 RegisterHandler("GetServiceEnable", &MasterService::RPC_GetServiceEnable); 272 273 RegisterHandler("GetCmdState", &MasterService::RPC_GetCmd); 274 RegisterHandler("ListCmdState", &MasterService::RPC_ListCmd); 275 RegisterHandler("ExecuteCmd", &MasterService::RPC_ExecuteCmd); 276 RegisterHandler("RemoveCmd", &MasterService::RPC_RemoveCmd); 277} 278 279// Load child services from configuration 280void MasterService::LoadChildServices() { 281 LOG_INFO("load child service config size:{}", config_["services"].Size()); 282 283 // List of all services found in logs 284 std::vector services = { 285 "motion_switcher", "basic_service", "auto_test_low", "ai_sport", 286 "g1_arm_example", "chat_go", "webrtc_multicast_responder", "net_switcher", 287 "iox-roudi", "ota_box", "webrtc_signal_server", "dex3_service_l", 288 "vui_service", "dex3_service_r", "auto_test_arm", "ros_bridge", 289 "webrtc_bridge", "state_estimator", "video_hub", "bashrunner", 290 "upper_bluetooth", "robot_state" 291 }; 292 293 for (const auto& name : services) { 294 ChildServiceState state; 295 state.name = name; 296 state.path = "/unitree/module/" + name + "/" + name; 297 state.pid = 0; 298 state.state = STATE_STOPPED; 299 state.enabled = true; 300 state.restart_count = 0; 301 state.start_time = 0; 302 303 // Categorize services 304 if (name == "iox-roudi" || name == "basic_service") { 305 state.mode = MODE_PRIO; 306 prio_services_.push_back(name); 307 } else if (name == "upper_bluetooth") { 308 state.mode = MODE_INIT; 309 init_services_.push_back(name); 310 } else { 311 state.mode = MODE_NORMAL; 312 } 313 314 child_services_[name] = state; 315 LOG_INFO("load child service sucess. name:{}", name); 316 } 317} 318 319// Load child commands from configuration 320void MasterService::LoadChildCommands() { 321 LOG_INFO("load child cmd size:{}", config_["commands"].Size()); 322 323 // List of all commands found in logs 324 std::vector commands = { 325 "net-init", "sim-apn-verifier", "pd-init", "am-init", 326 "ota-box", "core-init", "lo-multicast", "deb-update", "ota-update" 327 }; 328 329 // Additional init commands found in logs 330 std::vector init_commands = { 331 "pw-init", "st-init", "ds-init" 332 }; 333 334 for (const auto& name : commands) { 335 ChildCmdState cmd; 336 cmd.name = name; 337 cmd.command = "/unitree/scripts/" + name + ".sh"; 338 cmd.exit_code = -1; 339 cmd.executed = false; 340 cmd.last_execution = 0; 341 342 child_commands_[name] = cmd; 343 LOG_INFO("load child cmd sucess. name:{}", name); 344 } 345 346 // Add init commands 347 for (const auto& name : init_commands) { 348 ChildCmdState cmd; 349 cmd.name = name; 350 cmd.command = "/unitree/scripts/" + name + ".sh"; 351 cmd.exit_code = -1; 352 cmd.executed = false; 353 cmd.last_execution = 0; 354 355 child_commands_[name] = cmd; 356 } 357} 358 359// Start initialization services 360void MasterService::StartInitServices() { 361 // Execute init commands first 362 std::vector init_cmds = { 363 "net-init", "ota-box", "ota-update", "pw-init", 364 "st-init", "ds-init", "pd-init", "lo-multicast" 365 }; 366 367 for (const auto& cmd_name : init_cmds) { 368 if (child_commands_.find(cmd_name) != child_commands_.end()) { 369 LOG_INFO("init child name:{}, type:1", cmd_name); 370 executor_->ExecuteCmd(cmd_name, child_commands_[cmd_name]); 371 LOG_INFO("execute cmd sucess. name:{}", cmd_name); 372 } 373 } 374 375 // Start init services 376 for (const auto& service_name : init_services_) { 377 if (child_services_.find(service_name) != child_services_.end()) { 378 LOG_INFO("init child name:{}, type:2", service_name); 379 executor_->StartService(service_name, child_services_[service_name]); 380 LOG_INFO("start service success. name:{}", service_name); 381 } 382 } 383} 384 385// Monitor services and restart if needed 386void MasterService::MonitorServices() { 387 while (running_) { 388 std::this_thread::sleep_for(std::chrono::seconds(5)); 389 390 std::lock_guard lock(service_mutex_); 391 392 for (auto& [name, state] : child_services_) { 393 if (state.enabled && state.state == STATE_RUNNING) { 394 int status; 395 if (executor_->GetServiceStatus(name, status) != 0) { 396 // Service died, restart if needed 397 LOG_WARNING("Service {} died, restarting...", name); 398 state.restart_count++; 399 executor_->StartService(name, state); 400 } 401 } 402 } 403 } 404} 405 406} // namespace ms 407} // namespace unitree 408 409// Main entry point 410int main(int argc, char* argv[]) { 411 // Set up signal handlers 412 signal(SIGPIPE, SIG_IGN); 413 414 // Create and initialize master service 415 unitree::ms::MasterService service; 416 417 // Parse configuration 418 service.Parse("/unitree/module/master_service/master_service.json"); 419 420 // Initialize service 421 service.Init(); 422 423 // Register RPC handlers 424 service.Register(); 425 426 // Start service 427 service.Start(); 428 429 // Wait for termination signal 430 pause(); 431 432 // Stop service 433 service.Stop(); 434 435 return 0; 436}
    Listing 11: Complete master_service_reconstructed.cpp

    A.3 Mixer Decryption Implementation

    The following C++ code represents our partial implementation of the Mixer decryption system:

    1// Reconstructed Mixer encryption/decryption class 2// Based on reverse engineering of Unitree’s proprietary encryption 3 4#include 5#include 6#include 7#include 8#include 9#include 10#include 11#include 12#include 13#include 14 15namespace unitree { 16namespace security { 17 18// Magic header for encrypted files 19const char* MIXER_MAGIC = "FMX\x01"; 20const size_t MIXER_MAGIC_SIZE = 4; 21 22// File structure based on hex dump analysis: 23// Bytes 0-3: "FMX\x01" - Magic header 24// Bytes 4-7: File size or version info 25// Bytes 8-11: Checksum or flags 26// Bytes 12-15: Encryption metadata 27// Bytes 16+: Encrypted data 28 29class Mixer { 30private: 31 static Mixer* instance_; 32 BF_KEY blowfish_key_; 33 bool initialized_; 34 int code_version_; 35 36 // Hardcoded keys found in binary (obfuscated) 37 static const unsigned char DEFAULT_KEY[16]; 38 static const unsigned char DEFAULT_IV[8]; 39 40 // RSA keys for signature verification 41 RSA* rsa_public_key_; 42 RSA* rsa_private_key_; 43 44public: 45 static Mixer& Instance() { 46 if (!instance_) { 47 instance_ = new Mixer(); 48 } 49 return *instance_; 50 } 51 52 Mixer() : initialized_(false), code_version_(1), 53 rsa_public_key_(nullptr), rsa_private_key_(nullptr) { 54 Initialize(); 55 } 56 57 ~Mixer() { 58 if (rsa_public_key_) RSA_free(rsa_public_key_); 59 if (rsa_private_key_) RSA_free(rsa_private_key_); 60 } 61 62 void Initialize() { 63 // Initialize Blowfish with default key 64 BF_set_key(&blowfish_key_, sizeof(DEFAULT_KEY), DEFAULT_KEY); 65 66 // Load RSA keys from /unitree/etc/ds/ 67 LoadRSAKeys(); 68 69 initialized_ = true; 70 } 71 72 void SetCodeVer(int version) { 73 code_version_ = version; 74 } 75 76 // Generate obfuscation bytes 77 void Gen(unsigned int seed, unsigned char* output, unsigned int length) { 78 // Simple PRNG for obfuscation 79 for (unsigned int i = 0; i < length; i++) { 80 seed = seed * 1664525 + 1013904223; // LCG parameters 81 output[i] = (seed >> 16) & 0xFF; 82 } 83 } 84 85 // Main decryption function for files 86 bool LoadFile(const std::string& filename, std::string& output) { 87 std::ifstream file(filename, std::ios::binary); 88 if (!file) return false; 89 90 // Read entire file 91 file.seekg(0, std::ios::end); 92 size_t file_size = file.tellg(); 93 file.seekg(0, std::ios::beg); 94 95 std::vector buffer(file_size); 96 file.read(reinterpret_cast(buffer.data()), file_size); 97 file.close(); 98 99 // Check magic header 100 if (file_size < MIXER_MAGIC_SIZE || 101 memcmp(buffer.data(), MIXER_MAGIC, MIXER_MAGIC_SIZE) != 0) { 102 // Not encrypted, return as-is 103 output.assign(buffer.begin(), buffer.end()); 104 return true; 105 } 106 107 // Parse header 108 MixerHeader header; 109 memcpy(&header, buffer.data(), sizeof(header)); 110 111 // Extract encrypted data 112 size_t data_offset = sizeof(MixerHeader); 113 size_t data_size = file_size - data_offset; 114 115 // Decrypt using Blowfish 116 std::vector decrypted(data_size); 117 DecryptBlowfish(buffer.data() + data_offset, decrypted.data(), data_size); 118 119 // Remove padding and verify checksum 120 size_t actual_size = RemovePadding(decrypted.data(), data_size); 121 122 // Verify MD5 checksum if present 123 if (header.flags & 0x01) { 124 if (!VerifyChecksum(decrypted.data(), actual_size, header.checksum)) { 125 return false; 126 } 127 } 128 129 output.assign(decrypted.begin(), decrypted.begin() + actual_size); 130 return true; 131 } 132 133 // Encryption function 134 bool WrapFile(const std::string& input, const std::string& output_file) { 135 // Create header 136 MixerHeader header; 137 memcpy(header.magic, MIXER_MAGIC, MIXER_MAGIC_SIZE); 138 header.version = code_version_; 139 header.flags = 0x01; // Enable checksum 140 header.data_size = input.size(); 141 142 // Calculate MD5 checksum 143 MD5_CTX md5_ctx; 144 MD5_Init(&md5_ctx); 145 MD5_Update(&md5_ctx, input.c_str(), input.size()); 146 MD5_Final(header.checksum, &md5_ctx); 147 148 // Pad data to block size 149 size_t padded_size = ((input.size() + 7) / 8) * 8; 150 std::vector padded(padded_size); 151 memcpy(padded.data(), input.c_str(), input.size()); 152 153 // Add PKCS#7 padding 154 unsigned char pad_value = padded_size - input.size(); 155 for (size_t i = input.size(); i < padded_size; i++) { 156 padded[i] = pad_value; 157 } 158 159 // Encrypt using Blowfish 160 std::vector encrypted(padded_size); 161 EncryptBlowfish(padded.data(), encrypted.data(), padded_size); 162 163 // Write to file 164 std::ofstream file(output_file, std::ios::binary); 165 file.write(reinterpret_cast(&header), sizeof(header)); 166 file.write(reinterpret_cast(encrypted.data()), encrypted.size()); 167 file.close(); 168 169 return true; 170 } 171 172private: 173 struct MixerHeader { 174 char magic[4]; // "FMX\x01" 175 uint32_t version; // Version or file size 176 uint32_t flags; // Encryption flags 177 uint32_t data_size; // Original data size 178 unsigned char checksum[16]; // MD5 checksum 179 }; 180 181 void DecryptBlowfish(const unsigned char* input, unsigned char* output, size_t length) { 182 // Decrypt in 8-byte blocks 183 for (size_t i = 0; i < length; i += 8) { 184 BF_ecb_encrypt(input + i, output + i, &blowfish_key_, BF_DECRYPT); 185 } 186 } 187 188 void EncryptBlowfish(const unsigned char* input, unsigned char* output, size_t length) { 189 // Encrypt in 8-byte blocks 190 for (size_t i = 0; i < length; i += 8) { 191 BF_ecb_encrypt(input + i, output + i, &blowfish_key_, BF_ENCRYPT); 192 } 193 } 194 195 size_t RemovePadding(unsigned char* data, size_t length) { 196 // PKCS#7 padding removal 197 if (length == 0) return 0; 198 199 unsigned char pad_value = data[length - 1]; 200 if (pad_value > 8 || pad_value == 0) { 201 return length; // Invalid padding 202 } 203 204 // Verify padding 205 for (size_t i = length - pad_value; i < length; i++) { 206 if (data[i] != pad_value) { 207 return length; // Invalid padding 208 } 209 } 210 211 return length - pad_value; 212 } 213 214 bool VerifyChecksum(const unsigned char* data, size_t length, const unsigned char* expected) { 215 unsigned char calculated[MD5_DIGEST_LENGTH]; 216 MD5(data, length, calculated); 217 return memcmp(calculated, expected, MD5_DIGEST_LENGTH) == 0; 218 } 219 220 void LoadRSAKeys() { 221 // Try to load RSA keys from /unitree/etc/ds/ 222 // The h2sSu1fsF4Ba.crt file contains the private key 223 std::string key_file = "/unitree/etc/ds/h2sSu1fsF4Ba.crt"; 224 225 FILE* fp = fopen(key_file.c_str(), "r"); 226 if (fp) { 227 rsa_private_key_ = PEM_read_RSAPrivateKey(fp, nullptr, nullptr, nullptr); 228 fclose(fp); 229 } 230 } 231}; 232 233// Static member initialization 234Mixer* Mixer::instance_ = nullptr; 235 236// Default key derived from binary analysis 237// This is likely obfuscated in the actual binary 238const unsigned char Mixer::DEFAULT_KEY[16] = { 239 0x55, 0x6E, 0x69, 0x74, 0x72, 0x65, 0x65, 0x47, // "UnitreeG" 240 0x31, 0x52, 0x6F, 0x62, 0x6F, 0x74, 0x32, 0x34 // "1Robot24" 241}; 242 243const unsigned char Mixer::DEFAULT_IV[8] = { 244 0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0 245}; 246 247} // namespace security 248} // namespace unitree 249 250// Decryption utility 251int main(int argc, char* argv[]) { 252 if (argc != 3) { 253 std::cerr << "Usage: " << argv[0] << " " << std::endl; 254 return 1; 255 } 256 257 std::string decrypted; 258 if (unitree::security::Mixer::Instance().LoadFile(argv[1], decrypted)) { 259 std::ofstream output(argv[2]); 260 output << decrypted; 261 output.close(); 262 std::cout << "Decryption successful!" << std::endl; 263 return 0; 264 } else { 265 std::cerr << "Decryption failed!" << std::endl; 266 return 1; 267 } 268}
    Listing 12: Complete mixer_decrypt.cpp implementation

    A.4 GPU Brute Force Attack Tool

    The following Python implementation was used for GPU-accelerated key generation and testing:

    1#!/usr/bin/env python3 2""" 3GPU-Accelerated Blowfish Brute Force Cracker for Unitree Mixer 4Uses intelligent pattern generation and GPU parallelization 5""" 6 7import numpy as np 8import hashlib 9import time 10import sys 11import itertools 12from Crypto.Cipher import Blowfish 13from multiprocessing import Pool, Value, Lock 14import ctypes 15 16# Try to import CuPy for GPU acceleration 17try: 18 import cupy as cp 19 GPU_AVAILABLE = True 20 print("GPU acceleration available via CuPy") 21except: 22 GPU_AVAILABLE = False 23 print("GPU not available, using CPU parallelization") 24 25# Global counter for progress tracking 26counter = Value(ctypes.c_uint64, 0) 27found_flag = Value(ctypes.c_bool, False) 28counter_lock = Lock() 29 30class KeyGenerator: 31 """Intelligent key generator based on reverse engineering findings""" 32 33 def __init__(self): 34 self.device_code = "E21D1000P64BKH86" 35 self.rf_code = "34d21p" 36 self.bluetooth = "04360" 37 self.machine_type = "4" 38 39 def generate_pattern_keys(self): 40 """Generate keys based on identified patterns""" 41 keys = [] 42 43 # Pattern 1: Direct device code variations 44 keys.extend(self._device_code_variations()) 45 46 # Pattern 2: MD5 hash variations 47 keys.extend(self._md5_variations()) 48 49 # Pattern 3: LCG seed-based 50 keys.extend(self._lcg_variations()) 51 52 # Pattern 4: Hardware ID combinations 53 keys.extend(self._hardware_combinations()) 54 55 # Pattern 5: Timestamp-based (around device manufacture date) 56 keys.extend(self._timestamp_variations()) 57 58 return keys 59 60 def _device_code_variations(self): 61 """Generate variations of device code""" 62 keys = [] 63 dc = self.device_code 64 65 # Original 66 keys.append(dc.encode()[:16].ljust(16, b’\x00’)) 67 68 # Rearranged: E21D + P64B + KH86 + 1000 69 rearranged = dc[0:4] + dc[8:12] + dc[12:16] + dc[4:8] 70 keys.append(rearranged.encode()[:16]) 71 72 # Reversed 73 keys.append(dc[::-1].encode()[:16]) 74 75 # Parts 76 keys.append((dc[:8] + dc[-8:]).encode()) 77 78 # With machine type 79 for i in range(10): 80 variant = dc 81 for j in range(len(variant)): 82 variant = variant[:j] + chr((ord(variant[j]) + i) % 256) + variant[j+1:] 83 keys.append(variant.encode()[:16].ljust(16, b’\x00’)) 84 85 return keys 86 87 def _md5_variations(self): 88 """Generate MD5-based keys""" 89 keys = [] 90 91 combinations = [ 92 self.device_code, 93 self.device_code + self.rf_code, 94 self.device_code + self.bluetooth, 95 self.device_code + self.machine_type, 96 self.device_code + self.rf_code + self.bluetooth, 97 self.rf_code + self.device_code, 98 self.bluetooth + self.device_code, 99 # With separators 100 f"{self.device_code}:{self.rf_code}", 101 f"{self.device_code}-{self.bluetooth}", 102 f"{self.device_code}_{self.machine_type}", 103 ] 104 105 # Add Unitree-specific salts 106 salts = ["", "Unitree", "unitree", "UNITREE", "Robotics", "G1", "FMX\x01"] 107 108 for combo in combinations: 109 for salt in salts: 110 data = (combo + salt).encode() 111 keys.append(hashlib.md5(data).digest()) 112 keys.append(hashlib.sha256(data).digest()[:16]) 113 114 return keys 115 116 def _lcg_variations(self): 117 """Generate keys using Linear Congruential Generator""" 118 keys = [] 119 120 # Common seeds 121 seeds = [ 122 0, 1, 42, 123456, 0xDEADBEEF, 0xCAFEBABE, 123 # Hash device code to seed 124 int(hashlib.md5(self.device_code.encode()).hexdigest()[:8], 16), 125 # CRC32 as seed 126 int(hashlib.md5(self.rf_code.encode()).hexdigest()[:8], 16), 127 ] 128 129 for seed in seeds: 130 key = bytearray(16) 131 state = seed 132 for i in range(16): 133 state = (state * 1664525 + 1013904223) & 0xFFFFFFFF 134 key[i] = (state >> 16) & 0xFF 135 keys.append(bytes(key)) 136 137 return keys 138 139 def _hardware_combinations(self): 140 """Generate keys based on hardware ID patterns""" 141 keys = [] 142 143 # Simulate MAC addresses (common vendor prefixes) 144 vendor_prefixes = [ 145 "00:11:22", # Unitree vendor? 146 "AA:BB:CC", # Test 147 "DE:AD:BE", # Classic 148 ] 149 150 for prefix in vendor_prefixes: 151 for i in range(100): # Try 100 variations 152 mac = f"{prefix}:{i:02X}:{i:02X}:{i:02X}" 153 combined = self.device_code + mac.replace(":", "") 154 keys.append(hashlib.md5(combined.encode()).digest()) 155 156 return keys 157 158 def _timestamp_variations(self): 159 """Generate keys based on timestamps""" 160 keys = [] 161 162 # Approximate manufacture date range (2024-2025) 163 start_timestamp = int(time.mktime(time.strptime("2024-01-01", "%Y-%m-%d"))) 164 end_timestamp = int(time.mktime(time.strptime("2025-08-01", "%Y-%m-%d"))) 165 166 # Sample timestamps 167 for ts in range(start_timestamp, end_timestamp, 86400 * 7): # Weekly 168 combined = self.device_code + str(ts) 169 keys.append(hashlib.md5(combined.encode()).digest()) 170 171 return keys 172 173def try_decrypt_batch(args): 174 """Try decrypting with a batch of keys (for multiprocessing)""" 175 keys, encrypted_data, batch_id = args 176 177 # Extract first block after header 178 first_block = encrypted_data[32:40] 179 180 for i, key in enumerate(keys): 181 if found_flag.value: 182 return None 183 184 try: 185 cipher = Blowfish.new(key, Blowfish.MODE_ECB) 186 decrypted = cipher.decrypt(first_block) 187 188 # Check for JSON markers 189 if decrypted[0] in [ord(’{’), ord(’[’)]: 190 # Found potential match! 191 print(f"\n[FOUND] Potential key: {key.hex()}") 192 print(f"Decrypted: {decrypted[:8].hex()}") 193 194 # Try full decryption 195 full_decrypted = b’’ 196 for j in range(32, len(encrypted_data), 8): 197 block = encrypted_data[j:j+8] 198 if len(block) == 8: 199 full_decrypted += cipher.decrypt(block) 200 else: 201 full_decrypted += block 202 203 # Remove padding and check 204 try: 205 text = full_decrypted.decode(’utf-8’, errors=’ignore’) 206 if ’{’ in text[:100]: 207 found_flag.value = True 208 return (key, full_decrypted) 209 except: 210 pass 211 212 # Update counter 213 with counter_lock: 214 counter.value += 1 215 if counter.value % 10000 == 0: 216 print(f"Processed {counter.value} keys...", end=’\r’) 217 218 except Exception as e: 219 pass 220 221 return None 222 223def brute_force_attack(encrypted_file, output_file): 224 """Main brute force attack orchestrator""" 225 226 print("="*60) 227 print("GPU-ACCELERATED BLOWFISH BRUTE FORCE ATTACK") 228 print("="*60) 229 230 # Read encrypted file 231 with open(encrypted_file, ’rb’) as f: 232 encrypted_data = f.read() 233 234 print(f"File size: {len(encrypted_data)} bytes") 235 print(f"Header: {encrypted_data[:32].hex()}") 236 237 # Phase 1: Smart pattern-based attack 238 print("\n[PHASE 1] Pattern-based attack...") 239 kg = KeyGenerator() 240 pattern_keys = kg.generate_pattern_keys() 241 print(f"Generated {len(pattern_keys)} pattern-based keys") 242 243 # Try pattern keys 244 start_time = time.time() 245 batch_size = 1000 246 batches = [pattern_keys[i:i+batch_size] for i in range(0, len(pattern_keys), batch_size)] 247 248 with Pool(processes=8) as pool: 249 args = [(batch, encrypted_data, i) for i, batch in enumerate(batches)] 250 results = pool.map(try_decrypt_batch, args) 251 252 for result in results: 253 if result: 254 key, decrypted = result 255 print(f"\n[SUCCESS] Found key: {key.hex()}") 256 with open(output_file, ’wb’) as f: 257 f.write(decrypted) 258 print(f"Decrypted file saved to {output_file}") 259 print(f"Time taken: {time.time() - start_time:.2f} seconds") 260 return 261 262 # Phase 2: Extended search with suffix brute force 263 print("\n[PHASE 2] Extended brute force with suffixes...") 264 265 def generate_suffix_keys(): 266 """Generate keys with device code + brute force suffix""" 267 chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 268 device = kg.device_code 269 270 # 1-3 character suffixes 271 for length in range(1, 4): 272 for suffix in itertools.product(chars, repeat=length): 273 suffix_str = ’’.join(suffix) 274 combined = device + suffix_str 275 yield hashlib.md5(combined.encode()).digest() 276 277 # Also try with rf_code 278 combined2 = device + kg.rf_code + suffix_str 279 yield hashlib.md5(combined2.encode()).digest() 280 281 suffix_gen = generate_suffix_keys() 282 batch = [] 283 batch_num = 0 284 285 for key in suffix_gen: 286 batch.append(key) 287 288 if len(batch) >= 10000: 289 result = try_decrypt_batch((batch, encrypted_data, batch_num)) 290 if result: 291 key, decrypted = result 292 print(f"\n[SUCCESS] Found key: {key.hex()}") 293 with open(output_file, ’wb’) as f: 294 f.write(decrypted) 295 print(f"Decrypted file saved to {output_file}") 296 print(f"Time taken: {time.time() - start_time:.2f} seconds") 297 return 298 299 batch = [] 300 batch_num += 1 301 302 if counter.value > 10000000: # Stop after 10 million attempts 303 break 304 305 # Phase 3: LCG seed brute force (if GPU available) 306 if GPU_AVAILABLE: 307 print("\n[PHASE 3] GPU-accelerated LCG seed brute force...") 308 309 # This would use CuPy for GPU acceleration 310 # Implementation would follow similar pattern but with GPU arrays 311 print("GPU implementation would go here...") 312 313 print(f"\n[FAILED] Could not crack the key after {counter.value} attempts") 314 print(f"Time taken: {time.time() - start_time:.2f} seconds") 315 316 # Provide analysis 317 print("\n[ANALYSIS]") 318 print("The key is likely derived from:") 319 print("1. Hardware-specific identifiers not in the filesystem") 320 print("2. Secure element or TPM-stored secrets") 321 print("3. Runtime-generated values from kernel/bootloader") 322 print("4. Multi-factor derivation with unknown components") 323 324if __name__ == "__main__": 325 if len(sys.argv) != 3: 326 print("Usage: python3 gpu_brute_force.py ") 327 sys.exit(1) 328 329 # Run the attack 330 brute_force_attack(sys.argv[1], sys.argv[2])
    Listing 13: Complete gpu_brute_force.py implementation

    Appendix B Decryption Tools and Scripts

    B.1 Layer 2 Decryption Tool (fmx_dec2.sh)

    This bash script automates the Layer 2 Blowfish decryption process for FMX files. It was developed during the September 2025 analysis to provide reproducible offline decryption.

    B.1.1 Features

    • Automatic OpenSSL 3 legacy provider configuration

    • Batch processing support for multiple FMX files

    • Proper handling of non-8-byte-aligned payloads

    • Verification of FMX magic header before processing

    B.1.2 Usage

    1# Decrypt a single file 2./fmx_dec2.sh /path/to/file.fmx 3 4# Decrypt multiple files 5./fmx_dec2.sh unitree/etc/master_service/* 6 7# Specify output directory 8./fmx_dec2.sh file.fmx /tmp/output
    Listing 14: Usage examples for fmx_dec2.sh

    B.1.3 Implementation

    1#!/usr/bin/env bash 2# FMX -> Layer2 (Blowfish-ECB) decrypt helper 3# 4# Usage: 5# ./fmx_dec2.sh /path/to/FMX_file [out_dir] 6# ./fmx_dec2.sh unitree/etc/master_service/* 7# 8# Notes: 9# - Requires OpenSSL 3 with legacy provider enabled 10# - FMX header is 32 bytes. Payload is Blowfish-ECB with fixed key 11# - Some payloads are not multiples of 8. We zero-pad the last block 12# - Output goes to [out_dir]/.dec2 (default: ./fmx_dec2_out) 13 14set -euo pipefail 15 16if [[ $# -lt 1 ]]; then 17 echo "Usage: $0 [out_dir]" >&2 18 exit 1 19fi 20 21OUT_DIR=${2:-"$(pwd)/fmx_dec2_out"} 22mkdir -p "$OUT_DIR" 23 24# Blowfish key for Layer 2 (from analysis) 25BF_KEY_HEX=${BF_KEY_HEX:-"[REDACTED_KEY]"} 26 27# Ensure OpenSSL legacy provider is active 28LEG_CONF=${OPENSSL_CONF:-/tmp/openssl_legacy_fmx.conf} 29if [[ ! -f "$LEG_CONF" ]]; then 30 cat > "$LEG_CONF" <<’CONF’ 31openssl_conf = openssl_init 32[openssl_init] 33providers = provider_sect 34[provider_sect] 35default = default_sect 36legacy = legacy_sect 37[default_sect] 38activate = 1 39[legacy_sect] 40activate = 1 41CONF 42 export OPENSSL_CONF="$LEG_CONF" 43fi 44 45shopt -s nullglob 46for f in "$1"; do 47 : # allow single file 48done 49for f in "$@"; do 50 if [[ ! -f "$f" ]]; then 51 continue 52 fi 53 base=$(basename "$f") 54 out="$OUT_DIR/${base}.dec2" 55 # Check FMX magic 56 if ! head -c 4 "$f" | grep -q $’FMX\x01’; then 57 echo "[skip] $f (no FMX magic)" >&2 58 continue 59 fi 60 echo "[+] Decoding L2: $f -> $out" 61 # Strip 32-byte header, pad to 8, then decrypt 62 # shellcheck disable=SC2002 63 tail -c +33 "$f" \ 64 | dd bs=8 conv=sync status=none \ 65 | openssl enc -bf-ecb -nopad -d -K "$BF_KEY_HEX" -out "$out" 66done 67 68echo "[+] Done. Outputs in $OUT_DIR"
    Listing 15: Complete fmx_dec2.sh script implementation

    B.1.4 Technical Notes

    • The script automatically configures OpenSSL 3’s legacy provider to enable Blowfish support

    • The 32-byte FMX header is stripped using tail -c +33

    • Non-aligned payloads are padded to 8-byte boundaries using dd bs=8 conv=sync

    • The static Blowfish key (redacted for security) is hardcoded

    • Output files have the .dec2 extension to indicate Layer 2 decryption

    Appendix C Humanoid Robotics Companies Overview

    This appendix presents a comprehensive overview of companies developing humanoid robots, compiled from industry data as of 2025. The table includes key information about each company’s robots, market positioning, and technical capabilities.

    Table C.1: Humanoid Robotics Companies and Their Platforms
    Company Robot Name(s) Founded Headquarters Status Target Market Technologies Key Features Price
    1X Technologies EVE, NEO Beta 2014 Sunnyvale, CA, USA / Moss, Norway Pilot/Trials Home assistance, Commercial Proprietary Safety-focused design, embodied AI ~$50,000 (est.)
    AgiBot (Zhiyuan) RAISE A1, RAISE A2 2023 Shanghai, China Development General purpose Proprietary; Embodied AI Embodied AI, collaborative learning
    Agility Robotics Digit 2015 Albany, OR, USA Commercial Warehousing, Logistics Proprietary SDK Legged mobility for warehouses, autonomous navigation
    Apptronik Apollo 2016 Austin, TX, USA Pilot/Trials Manufacturing, Logistics Proprietary Swappable battery, 55 lb payload <$50,000 (target)
    Astribot Astribot S1 2022 Shenzhen, China Development Household, Service Proprietary High-speed manipulation for domestic tasks
    Boston Dynamics Atlas (Electric) 1992 Waltham, MA, USA Research Industrial, Research Proprietary Highly dynamic mobility, fully electric
    Clone Robotics Clone Torso 2021 Wrocław, Poland Development Research, Prosthetics Proprietary Biomimetic muscles, artificial bones
    Deep Robotics DR01 2017 Hangzhou, China Development Industrial Proprietary Robust locomotion, modular design
    Disney Research Various prototypes 1952 Los Angeles, CA, USA Research Entertainment Proprietary research stack Character animation, expressive motion Research only
    EngineAI PM01, SE01 2023 Shenzhen, China Development Industrial, Service Proprietary Acrobatic capabilities, multi-modal AI
    Engineered Arts Ameca, RoboThespian 2004 Falmouth, UK Commercial Entertainment, Research Proprietary Expressive faces, modular design £100,000+
    Figure AI Figure 01, Figure 02 2022 Sunnyvale, CA, USA Pilot/Trials Manufacturing, Warehousing Proprietary; OpenAI APIs Embodied AI integration, dexterous hands
    Fourier Intelligence GR-1, GR-2 2015 Shanghai, China Commercial Healthcare, Rehabilitation Proprietary 53 DoF, FSR sensors $30k–$50k
    Hanson Robotics Sophia, Grace 2013 Hong Kong Commercial Healthcare, Entertainment Proprietary Realistic facial expressions, conversational AI $75,000+
    Kepler Exploration Forerunner 2023 Beijing, China Prototype General purpose Proprietary 12 DoF hands, 40 DoF total $20k–$30k
    LimX Dynamics CL-1 2022 Shenzhen, China Development Industrial Proprietary; RL-based locomotion Dynamic locomotion, RL techniques
    NEURA Robotics 4NE-1 2019 Metzingen, Germany Development Collaborative work Proprietary Cognitive abilities, sensor fusion
    Promobot Robo-C 2 2015 Perm, Russia Commercial Service, Retail Proprietary Realistic skin, facial recognition $25k–$50k
    Sanctuary AI Phoenix Gen 7 2018 Vancouver, BC, Canada Pilot/Trials Retail, Manufacturing Proprietary (Carbon AI) Embodied AI, human-like hands
    Tesla Optimus Gen 2 2003 Austin, TX, USA Development Manufacturing, Logistics Proprietary Tesla-designed actuators, 11 DoF hands $20k–$30k (target)
    Toyota Research Institute T-HR3 2016 Los Altos, CA, USA Research Remote operation, Service Proprietary research stack Master–slave teleoperation, torque servo Research only
    UBTECH Robotics Walker X 2012 Shenzhen, China Commercial Service, Entertainment Proprietary 41 DoF, visual navigation
    Unitree Robotics G1, H1 2016 Hangzhou, China Commercial Research, Industrial SDK (C++/Python); ROS support Affordable platforms, 23 DoF $16,000+
    Xiaomi CyberOne 2010 Beijing, China Prototype Consumer, Service Proprietary Emotion recognition, 21 DoF

Read the original paper ↗

Citation