FilterHN

Reverse-engineering the UniFi inform protocol

93 points

by baconomatic

5 hours ago

| past

| 8 comments

| tamarack.cloud

| HN

▲

ctippett

2 hours ago

[-]

Nice trick. Just a heads up that I had to whitelist your domain as NextDNS blocked it for being newly registered.

Given this thread will probably attract other Unifi users... has anyone had success migrating from MongoDB to something like FerretDB?

I played around with getting this to work a few weeks ago and found that day-to-day it works without issue, but restoring a backup will error since it relies on some unsupported Mongo semantics (renaming collections iirc).

▲

adobrawy

1 hour ago

[-]

How are you performing backup of FerratDB? Are you using MongoDB tools, or are you using PostgreSQL-specific tools?

▲

paulddraper

2 hours ago

[-]

What does an admin do about NextDNS blocks?

▲

bastawhiz

2 hours ago

[-]

If you subscribe to the mindset of "new domains are likely to be bad" you just deal with a steady stream of allowlist requests from your users until the end of time. There will be new domains until the end of time, and site owners shouldn't be doing anything extra (imo) to justify their existence to admins. If you use a firewall voluntarily and that firewall blocks sites that are legitimate, that's on you, not the site owner.

We get this a lot at my job, where many customers' admins block s3 buckets by default. We give our customers a list of hostnames to allowlist and if they can't figure it out, that's on them.

▲

ThePowerOfFuet

9 minutes ago

[-]

>If you subscribe to the mindset of "new domains are likely to be bad" you just deal with a steady stream of allowlist requests from your users until the end of time.

Newly-registered domains are not generally an issue with enterprise users. However, they are overrepresented in malicious traffic due to domain-generation algorithms (DGAs).

▲

mrweasel

2 hours ago

[-]

It seems like a pretty tall order, but I really want an open source access point controller daemon that knows how to provision and manage a wide variety of APs from different manufacturers.

So you'd have one services that can provision Ubiquity, MikroTik, TPLink and other APs and manage the clients.

▲

myself248

15 minutes ago

[-]

Alternately, run OpenWRT on the APs themselves, and then you just need one provisioning protocol.

▲

baconomatic

2 hours ago

[-]

Now that would be interesting! Multi-vendor support is on the radar, but haven't started looking into it much yet.

▲

CptKriechstrom

2 hours ago

[-]

Do I miss something? How do you adopt the device in the first place? If you have to SSH into the device and set the inform URL manually could't you just route the request based on the request hostname?

▲

baconomatic

2 hours ago

[-]

Yep, once you set-inform the host header handles the routing. This in particular is most useful for things like DHCP Option 43, where devices only get an IP.

▲

CptKriechstrom

2 hours ago

[-]

But if you only got that IP and a MAC-Address - how do you know which tenant is supposed to adopt the device?

▲

baconomatic

2 hours ago

[-]

We support two approaches, you can either pre-register MAC-Addresses or you can add source IP's to assist with that mapping. There is more information in our docs about this: https://tamarack.cloud/docs/migration

▲

devmor

3 hours ago

[-]

> ("TNBU" is "UNBT" backwards, presumably UniFi Broadcast Technology.)

This seems like an odd misunderstanding, especially because the correct inversion “UBNT” is the default login name for most UniFi web UIs.

You might have a bit of dyslexia, OP!

▲

baconomatic

3 hours ago

[-]

You might be onto something there! But yes, good catch, I'll get that updated.

▲

dwood_dev

3 hours ago

[-]

ubnt has been the ubiquiti default login at least back to 2010 when I started using their products, before UniFi was a brand. I always assumed it was short for Ubiquiti Networks.

▲

hrimfaxi

3 hours ago

[-]

Sure, but the parent was saying this part was odd:

> "TNBU" is "UNBT" backwards

TNBU is clearly NOT uNbt backwards.

▲

idorosen

3 hours ago

[-]

Using the network byte ordering (big endian) of UBNT as the magic number in the protocol is a nice touch.

▲

EvanAnderson

3 hours ago

[-]

I believe they used MIPS processors in their early gear, so that makes sense.

▲

mikepurvis

2 hours ago

[-]

A lot of companies in that space did then. I was at a robotics company at the time and we experimented with mikrotik routerboards + the various long-range Ubiquiti wifi modules, some of which are even still listed on the website: https://techspecs.ui.com/uisp/accessory-tech/xr (though not the 900 MHz XR9, which was arguably one of the most interesting for long range comms)

▲

bxbdbehdbdb

1 hour ago

[-]

I don't quite get the reason for sniffing the packets. Wouldn't it be simpler to just run multiple VMs on one host to be multi tenant?

▲

baconomatic

1 hour ago

[-]

It would definitely be simpler, however the routing issue still stands. You would need to have a public IP for every VM, which is getting less practical. The MAC-based proxy makes it so we only need one IP and we can worry about the routing within our platform instead.

▲

scottlamb

2 hours ago

[-]

Bit of a thread-jack, but has anyone reverse-engineered the UniFi camera adoption protocol? I was surprised to discover that, unlike the APs, the cameras can't be adopted through the Unifi Software Controller that you can just throw into a Docker container. You're supposed to do that through their NVR appliance (Unifi Protect). I was hoping to just use them with my open-source NVR. They seem to be about the only option for a reasonably priced, larger image sensor camera that is not made by a company participating in the Uyghur genocide (Hikvision, Dahua, Univision, Huawei).

I found https://community.home-assistant.io/t/unifi-cameras-without-... in which someone sshed in, edited some config files by hand, and got streaming to work for the current boot. One could probably take that a bit further and, you know, save the config to flash. But it'd be nice to just do it the way their controller does and know it's going to work for future firmware updates and such.

They also stream by connecting to your NVR with modified version of flv, rather than you connecting to them with RTSP, which is annoying but can be worked around.

▲

ImPostingOnHN

1 hour ago

[-]

If you want to bypass Unifi Protect, what sort of "adoption" are you thinking of? AFAIK, "adoption" is a Unifi Protect thing. Otherwise it's just a device on your network that you can configure Frigate etc. to connect to and pull streams.

▲

scottlamb

1 hour ago

[-]

Changing the credentials for web access (firmware upgrade, janky jpeg-based live stream, etc.) and ssh access from the default ubnt:ubnt. Surprisingly, I don't see a page for this in the web UI, and the `password` command in the CLI is ineffective. I haven't looked around the filesystem.

Setting where it sends the video stream.

Configuring video settings, zone detections, etc. I found a video going through them here: <https://youtu.be/URam5XSFzuM?si=8WK4Yghh9kidZe6c&t=279> Just about any other camera lets you change this stuff through the camera's built-in web interface and/or ONVIF. Ubiquitis apparently don't.

> Otherwise it's just a device on your network that you can configure Frigate etc. to connect to and pull streams.

No, it connects to you!

▲

ImPostingOnHN

53 minutes ago

[-]

You want to change the credentials of the camera, so Frigate can log into it while it is connected to your Unifi network?

I did that for 5 different cameras yesterday, you're saying Unifi's cameras doesn't allow user management? That sucks!

> No, it connects to you!

I thought frigate connects to the camera's RTSP stream (maybe with ONVIF in the mix)?

▲

moonlighter

5 minutes ago

[-]

Unifi cams don't stream RTSP, they stream FLV v1 (FlashVideo) on 3 streams over plain TCP on port 7550, one per quality channel. And yes, they stream that TO the NVR who adopted them only... then the NVR recodes and sends RTSP (configurable).

For the adoption stage, UniFi cameras broadcast on UDP port 10001 using a proprietary TLV (Type-Length-Value) protocol. The Protect console listens on this port and picks up new cameras immediately. 4 bytes `\x01\x00\x00\x00` sent as UDP broadcast to `255.255.255.255:10001`

The response then contains these fields:

  | Hex Code | Field | Data |
  |----------|-------|------|
  | `0x01` | MAC Address | 6-byte hardware address |
  | `0x02` | MAC + IP | Combined MAC and IPv4 address |
  | `0x03` | Firmware Version | String |
  | `0x0B` | Hostname | String |
  | `0x0C` | Platform (Short Model) | String |
  | `0x0A` | Uptime | 64-bit integer |
  | `0x13` | Serial | String |
  | `0x14` | Model (Full) | String |
  | `0x17` | Is Default | Boolean (adopted vs unmanaged) |

After discovery, the Protect console: 1. Connects to the camera via SSH (default credentials) 2. Configures the Inform URL (TCP 8080) 3. Camera registers with the controller

So conceivably at step 2 you could use your own modified URL to point to your own NVR and then grab the FLV streams from there.

▲

scottlamb

47 minutes ago

[-]

> I thought frigate connects to the camera's RTSP stream (maybe with ONVIF in the mix)?

Right, that's the expectation of Frigate, my own Moonfire NVR, and basically every other NVR out there. Ubiquiti decided to think different.

▲

ImPostingOnHN

44 minutes ago

[-]

Well thanks for the heads-up to avoid their cameras.

▲

voidUpdate

2 hours ago

[-]

Is it just me that pretty much cannot read most of the text in the "Reading the MAC" code block? I don't know if it's because I use dark mode, but some of the text is #24292E on top of #141A16, which for me at least is practically invisible

▲

baconomatic

2 hours ago

[-]

Sorry about that, I typically use light mode, fixed and deployed!

▲

voidUpdate

2 hours ago

[-]

A million times better, thanks =)

▲

baconomatic