{"id":16797075,"url":"https://github.com/dmke/inform-inspect","last_synced_at":"2026-03-10T18:04:58.672Z","repository":{"id":39421251,"uuid":"139639778","full_name":"dmke/inform-inspect","owner":"dmke","description":"Ubiquiti Unifi Inform Packet Inspector","archived":false,"fork":false,"pushed_at":"2025-03-07T10:39:20.000Z","size":45,"stargazers_count":13,"open_issues_count":1,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-11T00:12:21.295Z","etag":null,"topics":["debugging","reverse-engineering","sdn","ubnt","unifi","unifi-controller"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dmke.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-03T21:42:54.000Z","updated_at":"2025-03-20T16:12:00.000Z","dependencies_parsed_at":"2024-03-04T10:47:19.765Z","dependency_job_id":"fd031d4b-9420-4abe-9caf-9502bffd64f7","html_url":"https://github.com/dmke/inform-inspect","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmke%2Finform-inspect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmke%2Finform-inspect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmke%2Finform-inspect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dmke%2Finform-inspect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dmke","download_url":"https://codeload.github.com/dmke/inform-inspect/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248317729,"owners_count":21083530,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugging","reverse-engineering","sdn","ubnt","unifi","unifi-controller"],"created_at":"2024-10-13T09:21:04.517Z","updated_at":"2026-03-10T18:04:53.512Z","avatar_url":"https://github.com/dmke.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003e **Note: With the release of Unifi SDN Controller version 5.12.x the\n\u003e inform package format has changed. As of now, the encryption scheme is\n\u003e unknown and hence this package is considered defunkt.**\n\u003e\n\u003e This basically affects all firmwares since at least v4.0.20 (maybe\n\u003e even earlier versions).\n\u003e\n\u003e Feel free to [open a new issue][] if you find clues on how to decipher\n\u003e current inform packages.\n\n[open a new issue]: https://github.com/dmke/inform-inspect/issues/new\n\n\n# inform-inspect\n\nInspector for Ubiquiti Unifi Inform Pakets. Useful for debugging or\ncreating external statistics.\n\n\n## Setup\n\nYou need access to a few things:\n\n1. Incoming inform packets. These are Application Layer packets (HTTP)\n   directed to the controller (usually \u003chttp://unifi:8080/inform\u003e).\n\n2. The controller's MongoDB, which holds the encryption key for the\n   inform packets. By default, this is a local child process of the\n   controller application, running on a non-standard port.\n\n3. The `inform-inspect` binary for your platform.\n\nWhether you setup `iptables` port mirroring (\"TEE\"), inject a MitM TCP\nproxy and selectively divert the inform packages, or capture packets\nwith `tcpdump` (for later analysis) is up to you. The sample command\nincluded in this package only deals with offline data (for now).\n\nTo get to the AES encryption/decryption key, you can perform this query\nagainst MongoDB:\n\n```js\ndb.collection(\"device\")\n  .find({ mac: \"\u003cmac address\u003e\" }, { _id: 0, x_authkey: 1 })\n```\n\nwhere `\u003cmac address\u003e` is the MAC address of the device in question (in\nlower-case colon-notation, like `aa:00:11:dd:ee:ff`).\n\nAlternatively, you can SSH into the device (using the Site's SSH\ncredentials) and look for a line `mgmt.authkey=\u003c32 hex digits\u003e` in\n`/var/etc/persisted/cfg/mgmt`. Note: each device has a different key.\n\n## Installation\n\nThe binary is easily obtained with this command (assuming you have the\nGo toolchain installed):\n\n```\ngo install github.com/dmke/inform-inspect/cmd/inform-inspect@latest\n```\n\nThis puts `inform-inspect` into `$(go env GOPATH)/bin`, which then can be\ncalled with the AES key and the path to a file containing the HTTP body\nof the inform request:\n\n\n```\n$(go env GOPATH)/bin/inform-inspect abcdef0123456789abcdef0123456789 /path/to/inform.dat\n```\n\nThe program call can have one of three results:\n\n| Exit code | Output |   |\n|:----------|:-------|:--|\n| 0 | JSON to `stdout`    | only if decrypted data is recognized as JSON |\n| 0 | hexdump to `stdout` | decoding succeeds, but is not recognized as JSON |\n| 1 | error message to `stderr` | decoding failed for some reason |\n\nPlease file a [bug report][issues] if you get a hexdump or if you believe\nthe error message to be incorrect. Don't forget to attach a BLOB for\nreproduction.\n\n[issues]: https://github.com/dmke/inform-inspect/issues\n\n## Next steps\n\nTechnically, you don't need to know the password in advance. This\npackage is built around a two-step decoding model: first parse the raw\nbyte stream into a data structure and then decrypt/decompress its\npayload.\n\nSince the device's MAC address is embedded in plain text in the byte\nstream's header, one could easily retrieve the necessary AES key\non-demand from the MongoDB (PR welcome).\n\nAfter that, a MitM sitting between the Unifi Controller and the device\nwould be handy.\n\n\n## Thanks\n\nThis builds upon protocol details gathered by [Mike Crute][mcrute] and\n[Jeffrey Kog][jk-5]:\n\n- \u003chttps://github.com/mcrute/ubntmfi/blob/master/inform_protocol.md\u003e\n- \u003chttps://github.com/jk-5/unifi-inform-protocol\u003e\n\nI'd also like to thank Redditor [/u/CornerAssignment][CornerAssignment]\nfor pointing me in the right direction when I was stuck identifying the\ncompression mechanism and not realizing the padding was still attached\nto the cleartext stream.\n\n[jk-5]: https://github.com/jk-5\n[mcrute]: https://github.com/mcrute\n[CornerAssignment]: https://www.reddit.com/user/CornerAssignment\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmke%2Finform-inspect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdmke%2Finform-inspect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdmke%2Finform-inspect/lists"}