Derive the LCG seed generation in Unitree FMX encryption
Derive the exact algorithm and data-to-seed mapping used to compute the 32-bit initialization seed for the Linear Congruential Generator (LCG) obfuscation layer within Unitree’s FMX encryption, specifically how device identifiers are transformed into the seed, in order to fully reverse the inner FMX layer beyond the already recovered LCG parameters.
References
While we successfully broke the outer encryption layer and identified the LCG algorithm parameters, complete reversal of the seed derivation mechanism remains unfinished. Seed Derivation: While we identified the LCG algorithm, the exact seed derivation from device identifiers remains partially understood. The 32-bit seed space is tractable for brute force but was not fully explored.
— Cybersecurity AI: Humanoid Robots as Attack Vectors
(2509.14139 - Mayoral-Vilches et al., 17 Sep 2025) in Section “FMX Cryptanalysis”; Subsection “Layer 1 (Inner): LCG Obfuscation—PARTIALLY BROKEN”