Derive the LCG seed generation in Unitree FMX encryption

Derive the exact algorithm and data-to-seed mapping used to compute the 32-bit initialization seed for the Linear Congruential Generator (LCG) obfuscation layer within Unitree’s FMX encryption, specifically how device identifiers are transformed into the seed, in order to fully reverse the inner FMX layer beyond the already recovered LCG parameters.

Background

The paper analyzes Unitree’s proprietary FMX encryption scheme, which protects configuration archives for services on the Unitree G1 humanoid robot. FMX uses a dual-layer approach: an outer Blowfish-ECB layer with a static fleet-wide key that the authors fully recovered, and an inner obfuscation layer based on a Linear Congruential Generator (LCG) whose parameters were identified.

While the outer layer is fully broken, the authors state that the seed derivation for the inner LCG-based obfuscation remains only partially understood and was not exhaustively explored. Pinning down the exact seed generation mechanism—from device identifiers to the 32-bit LCG seed—would complete the reversal of FMX and enable comprehensive decryption and analysis of protected configurations across devices.

References

While we successfully broke the outer encryption layer and identified the LCG algorithm parameters, complete reversal of the seed derivation mechanism remains unfinished. Seed Derivation: While we identified the LCG algorithm, the exact seed derivation from device identifiers remains partially understood. The 32-bit seed space is tractable for brute force but was not fully explored.

Cybersecurity AI: Humanoid Robots as Attack Vectors  (2509.14139 - Mayoral-Vilches et al., 17 Sep 2025) in Section “FMX Cryptanalysis”; Subsection “Layer 1 (Inner): LCG Obfuscation—PARTIALLY BROKEN”