Unitree Humanoid Robot Exploit Looks Like A Bad One

Unitree have a number of robotic offerings, and are one of the first manufacturers offering humanoid robotic platforms. It seems they are also the subject of UniPwn, one of the first public exploits of a vulnerability across an entire robotic product line. In this case, the vulnerability allows an attacker not only to utterly compromise a device from within the affected product lines, but infected robots can also infect others within wireless range. This is done via a remote command-injection exploit that involves a robot’s Bluetooth Low Energy (BLE) Wi-Fi configuration service.

Unitree’s flagship G1 humanoid robot platform (one of the many models affected)

While this may be the first public humanoid robot exploit we have seen (it also affects their quadruped models), the lead-up to announcing the details in a post on X is a familiar one. Researchers discover a security vulnerability and attempt responsible disclosure by privately notifying the affected party. Ideally the manufacturer responds, communicates, and fixes the vulnerability so devices are no longer vulnerable by the time details come out. That’s not always how things go. If efforts at responsible disclosure fail and action isn’t taken, a public release can help inform people of a serious issue, and point out workarounds and mitigations to a vulnerability that the manufacturer isn’t addressing.

The biggest security issues involved in this vulnerability (summed up in a total of four CVEs) include:

  • Hardcoded cryptographic keys for encrypting and decrypting BLE control packets (allowing anyone with a key to send valid packets.)
  • Trivial handshake security (consists simply of checking for the string “unitree” as the secret.)
  • Unsanitized user data that gets concatenated into shell commands and passed to system().

The complete attack sequence is a chain of events that leverages the above in order to ultimately send commands which run with root privileges.

We’ve seen a Unitree security glitch before, but it was used to provide an unofficial SDK that opened up expensive features of the Go1 “robot dog” model for free. This one is rather more serious and reportedly affects not just the humanoid models, but also newer quadrupeds such as the Go2 and B2. The whole exploit is comprehensively documented, so get a fresh cup of whatever you’re drinking before sitting down to read through it.

Hard Hat Becomes Bluetooth Direction Finder

Have you ever wanted to find a Bluetooth device out in the wild while looking like the comic relief character from a science-fiction series? You might like Dendrite, the direction-finding hat from [SolidStat3].

Dendrite is intended for hunting down Bluetooth devices. It’s capable of direction estimation based on signal strength readings from four ESP32 microcontrollers mounted on an off-the-shelf hard hat. Each ESP32 searches for BLE devices in the immediate area and reports the apparent signal strength to a fifth ESP32, which collates readings from all units. It then runs a simple multilateration algorithm to estimate the direction of the device. This information is then displayed via a ring of addressable LEDs around the perimeter of the hat. White LEDs marking the direction of the detected device. The only problem? You can’t see the LEDs while you’re wearing the hat. You might need a friend to help you… or you can simply take it off to see what it’s doing.

Ultimately, this project is a useful direction-finding hard hat that would also make a perfect prop from an episode of Inspector Spacetime. We’ve covered direction finding in other contexts before, too. Meanwhile, if you’re cooking up your own innovative hard hat (or radio) hacks, don’t hesitate to let us know!

Homebrew Tire Pressure Monitoring System

When [upir] saw that you could buy tire valve stem caps that read pressure electronically, he decided to roll his own Tire Pressure Monitoring System (TPMS) like the one found on modern cars. An ESP32 and an OLED display read the pressure values. He didn’t have a car tire on his workbench though, so he had to improvise there.

Of course, a real TPMS sensor goes inside the tire, but screwing them on the valve stem is much easier to deal with. The sensors use Bluetooth Low Energy and take tiny batteries. In theory, you’re supposed to connect to them to your phone, although two different apps failed to find the sensors. Even a BLE scanner app wouldn’t pick them up. Turns out — and this makes sense — the sensors don’t send data if there’s no pressure on them, so as not to run down the batteries. Putting pressure on them made them pop up on the scanner.

Continue reading “Homebrew Tire Pressure Monitoring System”

A photo of the circuitry in its case

GarageMinder: Automatic Garage Door

After getting a new car, [Solo Pilot] missed the automatic garage door opening and closing system their old car had. So they set about building their own, called GarageMinder. On the project page you will find a bill of materials, schematics, and some notes about the approach taken in various versions of the software. [Solo Pilot] also made the software available.

The basic hardware centers around a Raspberry Pi Zero W, but there are plans to switch to an ESP32. From the car side of things there are built-in continuous Bluetooth Low Energy (BLE) advertisement broadcasts, which the Raspberry Pi can detect. Building a reliable system on top of these unreliable signals is difficult and you can read about some of the challenges and approaches that were taken during development. This is a work in progress and additional techniques and approaches are going to be trialed in future.

If you’re interested in Bluetooth garage door openers be sure to read about using a Bluetooth headset as a garage door opener for your Android device.

Cat at the door

2025 Pet Hacks Contest: Cat At The Door

This Pet Hacks Contest entry from [Andrea] opens the door to a great collaboration of sensors to solve a problem. The Cat At The Door project’s name is a bit of a giveaway to its purpose, but this project has something for everyone, from radar to e-ink, LoRa to 3D printing. He wanted a sensor to watch the door his cats frequent and when one of his cats were detected have an alert sent to where he is in the house

There are several ways you can detect a cat, in this project [Andrea] went with mmWave radar, and this is ideal for sensing a cat as it allows the sensor to sit protected inside, it works day or night, and it doesn’t stop working should the cat stand still. In his project log he has a chapter going into what he did to dial in the settings on the LD2410C radar board.

How do you know if you’re detecting your cat, some other cat, a large squirrel, or a small child? It helps if you first give your cats a MAC address, in the form of a BLE tag. Once the radar detects presence of a suspected cat, the ESP32-S3 starts looking over Bluetooth, and if a known tag is found it will identify which cat or cats are outside waiting.

Once the known cat has been identified, it’s time to notify [Andrea] that his cat is waiting for his door opening abilities. To do this he selected an ESP32 board that includes a SX1262 LoRa module for communicating with the portable notification device. This battery powered device has a low power e-paper display showing you which cat, as well as an audio buzzer to help alert you.

To read more details about this project head over to the GitHub page to check out all the details. Including a very impressive 80 page step-by-step guide showing you step by step how to make your own. Also, be sure to check out the other entries into the 2025 Pet Hacks Contest.

Continue reading “2025 Pet Hacks Contest: Cat At The Door”

Intercepting And Decoding Bluetooth Low Energy Data For Victron Devices

[ChrisJ7903] has created two Ardiuno programs for reading Victron solar controller telemetry data advertised via BLE. If you’re interested in what it takes to use an ESP32 to sniff Bluetooth Low Energy (BLE) transmissions, this is a master class.

The code is split into two main programs. One program is for the Victron battery monitor and the other is for any Victron solar controller. The software will receive, dissect, decrypt, decode, and report the data periodically broadcast from the devices over BLE.

The BLE data is transmitted in Link-Layer Protocol Data Units (PDUs) which are colloquially called “packets”. In this particular case the BLE functionality for advertising, also known as broadcasting, is used which means the overhead of establishing connections can be avoided thereby saving power.

Continue reading “Intercepting And Decoding Bluetooth Low Energy Data For Victron Devices”

BLE Rain Gauge Sips Water And Batteries

It isn’t that hard to make an electronic rain gauge if you have a steady source of power or you don’t mind changing batteries often. But [Matthew Ford] offers a third option: a simple device with a Bluetooth Low Energy (BLE) module that can get a few years of a pair of AA batteries.

The approach has several advantages. Batteries make the device self-contained, and changing them infrequently is an obvious win. In addition, the BLE allows the device to be wireless and send data directly to an Android device. Thanks to a WH-SP-RG rain gauge, there’s not much to that part. The smart part is an nRF52832 module and some minor parts. The phone side uses an off-the-shelf Android app.

In a project like this, it is critical to have timers that really put the CPU to sleep. [Matthew] had to modify the Arduino libraries to allow the lp_timer objects to make it to an hour. Without the modifications, the timer can only reach 8.5 minutes. Sure, you could stack them, but that means taking a power hit multiple times an hour which would affect battery life.

Not the most complex project, but more complexity would mean lower battery life, so — as they say — less is more. We couldn’t help but think that with rechargeable batteries and a small solar panel, this could last a very long time.

LoRa, of course, is another choice. You can make 3D print a tipping bucket device, too.