Unitree GO-M8018-6 Motor Reverse Engineering

May 23, 2026 by Maya Posch 10 Comments

People seem to be rather into the Unitree Go2 quadruped robot, if only for the low price tag. But perhaps more interesting are the motors that propel it — they appear to be similar to the Go1’s GO-M8010-6 motors that Unitree also sells, with [Thomas Flayols] currently working on reverse-engineering its proprietary driver using the publicly available documentation for that motor and some reverse-engineering.

These motors are an assembly that includes a reducer, magnetic encoder, 3-phase inverter, current sensing, an RS-485 bus and a Cortex-M0-based CMS32M57xx MCU, all in a very capable package intended for robotics applications where a compact actuator is needed.

The first step of reverse-engineering involved the physical PCB, made all the more difficult as Unitree was so kind as to remove all markings on the ICs. Fortunately using an X-ray machine and some sleuthing it was possible to deduce the MCU and other components. Following this SWD/OpenOCD access to the MCU could be established and the firmware key extracted from the bootloader SRAM.

Although the firmware was encrypted, a locally recovered key was found to decrypt it. This allowed for an initial custom firmware to be developed, which [Thomas] hopes to develop into a fully featured open source firmware. Doing so would obviously open these motors to a larger audience outside of Unitree’s ecosystem, as they are pretty good value for what they offer mechanically.

It might give the associated Go2 robot a new life too considering the serious malware accusations and security issues pertaining to its firmware.

This Week In Security: Android Exposes ADB, ShinyHunters Get Paid, Robot Dogs, And More

May 18, 2026 by Mike Kershaw 26 Comments

Google has patched an Android ADB bug in the May security patch set. If you have a Pixel phone you should already have the patches, and most other major manufacturers should be close behind. Unfortunately, the biggest risk from this patch will be to the vendors who are also the least likely to release timely – or any – security updates.

ADB, the Android Debug Bridge, is the main tool for installing apps during development and debugging apps while they’re running. It can also be used to side-load apps from a PC. While most normal users are unlikely to ever enable it, developers typically do and some power users might when jailbreaking a device or setting parameters not exposed in the Android UI. Debugging can be done locally via USB, or optionally over the network. To protect the device, the user must unlock the Android device and authorize each new debug agent.

Covered by Risky.Biz, a bug introduced in 2020, and present in every Android release since, allowed bypassing authorization entirely if network debugging was enabled and at least one connection had been made to the ADB service in the past. This happens because ADB compares the certificate of the incoming debug connection with the list of saved certificates. If the certificate type does not match — for instance supplying an Ed25519 certificate instead of a RSA certificate — ADB has been incorrectly handling the error code, and allowing the connection.

In most programming languages, false is considered zero, and true is considered anything not zero. The certificate API returns a 1 for a valid match, a zero for an invalid match, and a negative-one for a type mismatch. Negative one is not zero, so when treated as a boolean value, it becomes true.

To exploit the bug, ADB must be enabled in wireless mode, and there must be at least one trusted device in the ADB configuration. For the average user this is an unlikely combination, but for developers, the time to update is now.

Continue reading “This Week In Security: Android Exposes ADB, ShinyHunters Get Paid, Robot Dogs, And More” →

The Dark Side Of Unitree Robot Dogs

May 12, 2026 by Maya Posch 31 Comments

Arbitrary command execution with the Wi-Fi password. (Credit: Benn Jordan)

Continuing on his quest to expose the dark underbelly of modern technology, [Benn Jordan] recently did a deep-dive into the rise of so-called robot dogs. Although their most striking resemblance with biological dogs is that they also have four legs and generally follow commands, [Benn] found many issues with them that range from safety issues due to limited sensory capabilities, to basic security vulnerabilities, all the way to suspicious network traffic from Unitree’s robot dog firmware.

Although not the only seller of this type of quadruped robot, Unitree Robotics has made a name for itself by offering very capable and yet very cheap products. Their basic quadruped robot costs only a few thousand clams and features Lidar and heaps of processing power, all of which should make it a pretty useful device.

Despite this, [Benn] found that the original task that he’d envisioned for the robot, as in protecting his chickens from uninvited visitors, wouldn’t quite work as the robot is rather blind. The reason for this is the placement of the Lidar below the head, which obscures most of what’s behind and around the robot. Rather than risk trampled chickens and chicks, this plan was thus abandoned.

When digging further into the robot, he found an easy to exploit arbitrary command execution flaw via the Wi-Fi password entry field, a year-old CVE-2025-2894 exploit, as well as highly suspicious traffic to Chinese servers whenever the robot’s software figured that it was not being watched. It’s not just their dogs either: UniTree’s humanoid robots are also succeptible.

Although much of this can be circumvented with hacks, issues like the sensory limitations and general distrust of firmware updates makes using these robots a rather daunting and often ill-advised proposition.

Continue reading “The Dark Side Of Unitree Robot Dogs” →

Hackaday Links: October 5, 2025

October 5, 2025 by Dan Maloney 14 Comments

What the Flock? It’s probably just some quirk of The Almighty Algorithm, but ever since we featured a story on Flock’s crime-fighting drones last week, we’ve been flooded with other stories about the company, some of which aren’t very flattering. The first thing that we were pushed was this handy interactive map of the company’s network of automatic license plate readers. We had no idea how extensive the network was, and while our location is relatively free from these devices, at least ones operated on behalf of state, county, or local law enforcement, we did learn to our dismay that our local Lowe’s saw fit to install three of these cameras on the entrances to their parking lot. Not wishing to have our coming and goings documented, we’ll be taking our home improvement dollars elsewhere for now.

Continue reading “Hackaday Links: October 5, 2025” →

Unitree Humanoid Robot Exploit Looks Like A Bad One

September 30, 2025 by Donald Papp 11 Comments

Unitree have a number of robotic offerings, and are one of the first manufacturers offering humanoid robotic platforms. It seems they are also the subject of UniPwn, one of the first public exploits of a vulnerability across an entire robotic product line. In this case, the vulnerability allows an attacker not only to utterly compromise a device from within the affected product lines, but infected robots can also infect others within wireless range. This is done via a remote command-injection exploit that involves a robot’s Bluetooth Low Energy (BLE) Wi-Fi configuration service.

While this may be the first public humanoid robot exploit we have seen (it also affects their quadruped models), the lead-up to announcing the details in a post on X is a familiar one. Researchers discover a security vulnerability and attempt responsible disclosure by privately notifying the affected party. Ideally the manufacturer responds, communicates, and fixes the vulnerability so devices are no longer vulnerable by the time details come out. That’s not always how things go. If efforts at responsible disclosure fail and action isn’t taken, a public release can help inform people of a serious issue, and point out workarounds and mitigations to a vulnerability that the manufacturer isn’t addressing.

The biggest security issues involved in this vulnerability (summed up in a total of four CVEs) include:

Hardcoded cryptographic keys for encrypting and decrypting BLE control packets (allowing anyone with a key to send valid packets.)
Trivial handshake security (consists simply of checking for the string “unitree” as the secret.)
Unsanitized user data that gets concatenated into shell commands and passed to system().

The complete attack sequence is a chain of events that leverages the above in order to ultimately send commands which run with root privileges.

We’ve seen a Unitree security glitch before, but it was used to provide an unofficial SDK that opened up expensive features of the Go1 “robot dog” model for free. This one is rather more serious and reportedly affects not just the humanoid models, but also newer quadrupeds such as the Go2 and B2. The whole exploit is comprehensively documented, so get a fresh cup of whatever you’re drinking before sitting down to read through it.

Hackaday Links: June 8, 2025

June 8, 2025 by Dan Maloney 21 Comments

When purchasing high-end gear, it’s not uncommon for manufacturers to include a little swag in the box. It makes the customer feel a bit better about the amount of money that just left their wallet, and it’s a great way for the manufacturer to build some brand loyalty and perhaps even get their logo out into the public. What’s not expected, though, is for the swag to be the only thing in the box. That’s what a Redditor reported after a recent purchase of an Nvidia GeForce RTX 5090, a GPU that lists for $1,999 but is so in-demand that it’s unobtainium at anything south of $2,600. When the factory-sealed box was opened, the Redditor found it stuffed with two cheap backpacks instead of the card. To add insult to injury, the bags didn’t even sport an Nvidia logo.

The purchase was made at a Micro Center in Santa Clara, California, and an investigation by the store revealed 31 other cards had been similarly tampered with, although no word on what they contained in lieu of the intended hardware. The fact that the boxes were apparently sealed at the factory with authentic anti-tamper tape seems to suggest the substitutions happened very high in the supply chain, possibly even at the end of the assembly line. It’s a little hard to imagine how a factory worker was able to smuggle 32 high-end graphics cards out of the building, so maybe the crime occurred lower down in the supply chain by someone with access to factory seals. Either way, the thief or thieves ended up with almost $100,000 worth of hardware, and with that kind of incentive, this kind of thing will likely happen again. Keep your wits about you when you make a purchase like this.

Continue reading “Hackaday Links: June 8, 2025” →

Browser-Based Robot Dog Simulator In ~800 Lines Of Code

August 5, 2023 by Donald Papp 9 Comments

[Sergii] has been learning about robot simulation and wrote up a basic simulator for a robodog platform: the Unitree A1. It only took about 800 lines of code to do so, which probably makes it a good place to start if one is headed in a similar direction.

Right now, [Sergii]’s simulator is an interactive physics model than runs in the browser. Software-wise, once the model of the robot exists the Rapier JavaScript physics engine takes care of the physics simulation. The robot’s physical layout comes from the manufacturer’s repository, so it doesn’t need to be created from scratch.

To make the tool useful, the application has two models of the robot, side by side. The one on the left is the control model, and has interactive sliders for limb positions. All movements on the control model are transmitted to the model on the right, which is the simulation model, setting the pose. The simulation model is the one that actually models the physics and gravity of all the desired motions and positions. [Sergii]’s next step is to use the simulator to design and implement a simple walking gait controller, and we look forward to how that turns out.

If Unitree sounds familiar to you, it might be because we recently covered how an unofficial SDK was able to open up some otherwise-unavailable features on the robodogs, so check that out if you want to get a little more out of what you paid for.