unitree

3 Articles

Unitree Humanoid Robot Exploit Looks Like A Bad One

September 30, 2025 by 11 Comments

Unitree have a number of robotic offerings, and are one of the first manufacturers offering humanoid robotic platforms. It seems they are also the subject of UniPwn, one of the first public exploits of a vulnerability across an entire robotic product line. In this case, the vulnerability allows an attacker not only to utterly compromise a device from within the affected product lines, but infected robots can also infect others within wireless range. This is done via a remote command-injection exploit that involves a robot’s Bluetooth Low Energy (BLE) Wi-Fi configuration service.

Unitree’s flagship G1 humanoid robot platform (one of the many models affected)

While this may be the first public humanoid robot exploit we have seen (it also affects their quadruped models), the lead-up to announcing the details in a post on X is a familiar one. Researchers discover a security vulnerability and attempt responsible disclosure by privately notifying the affected party. Ideally the manufacturer responds, communicates, and fixes the vulnerability so devices are no longer vulnerable by the time details come out. That’s not always how things go. If efforts at responsible disclosure fail and action isn’t taken, a public release can help inform people of a serious issue, and point out workarounds and mitigations to a vulnerability that the manufacturer isn’t addressing.

The biggest security issues involved in this vulnerability (summed up in a total of four CVEs) include:

  • Hardcoded cryptographic keys for encrypting and decrypting BLE control packets (allowing anyone with a key to send valid packets.)
  • Trivial handshake security (consists simply of checking for the string “unitree” as the secret.)
  • Unsanitized user data that gets concatenated into shell commands and passed to system().

The complete attack sequence is a chain of events that leverages the above in order to ultimately send commands which run with root privileges.

We’ve seen a Unitree security glitch before, but it was used to provide an unofficial SDK that opened up expensive features of the Go1 “robot dog” model for free. This one is rather more serious and reportedly affects not just the humanoid models, but also newer quadrupeds such as the Go2 and B2. The whole exploit is comprehensively documented, so get a fresh cup of whatever you’re drinking before sitting down to read through it.

Hackaday Links Column Banner

Hackaday Links: June 8, 2025

June 8, 2025 by 20 Comments

When purchasing high-end gear, it’s not uncommon for manufacturers to include a little swag in the box. It makes the customer feel a bit better about the amount of money that just left their wallet, and it’s a great way for the manufacturer to build some brand loyalty and perhaps even get their logo out into the public. What’s not expected, though, is for the swag to be the only thing in the box. That’s what a Redditor reported after a recent purchase of an Nvidia GeForce RTX 5090, a GPU that lists for $1,999 but is so in-demand that it’s unobtainium at anything south of $2,600. When the factory-sealed box was opened, the Redditor found it stuffed with two cheap backpacks instead of the card. To add insult to injury, the bags didn’t even sport an Nvidia logo.

The purchase was made at a Micro Center in Santa Clara, California, and an investigation by the store revealed 31 other cards had been similarly tampered with, although no word on what they contained in lieu of the intended hardware. The fact that the boxes were apparently sealed at the factory with authentic anti-tamper tape seems to suggest the substitutions happened very high in the supply chain, possibly even at the end of the assembly line. It’s a little hard to imagine how a factory worker was able to smuggle 32 high-end graphics cards out of the building, so maybe the crime occurred lower down in the supply chain by someone with access to factory seals. Either way, the thief or thieves ended up with almost $100,000 worth of hardware, and with that kind of incentive, this kind of thing will likely happen again. Keep your wits about you when you make a purchase like this.

Continue reading “Hackaday Links: June 8, 2025”

Browser-Based Robot Dog Simulator In ~800 Lines Of Code

August 5, 2023 by 9 Comments

[Sergii] has been learning about robot simulation and wrote up a basic simulator for a robodog platform: the Unitree A1. It only took about 800 lines of code to do so, which probably makes it a good place to start if one is headed in a similar direction.

Right now, [Sergii]’s simulator is an interactive physics model than runs in the browser. Software-wise, once the model of the robot exists the Rapier JavaScript physics engine takes care of the physics simulation. The robot’s physical layout comes from the manufacturer’s repository, so it doesn’t need to be created from scratch.

To make the tool useful, the application has two models of the robot, side by side. The one on the left is the control model, and has interactive sliders for limb positions. All movements on the control model are transmitted to the model on the right, which is the simulation model, setting the pose. The simulation model is the one that actually models the physics and gravity of all the desired motions and positions. [Sergii]’s next step is to use the simulator to design and implement a simple walking gait controller, and we look forward to how that turns out.

If Unitree sounds familiar to you, it might be because we recently covered how an unofficial SDK was able to open up some otherwise-unavailable features on the robodogs, so check that out if you want to get a little more out of what you paid for.