March 9, 2026
Packets meet pitchforks
Reverse-engineering the UniFi inform protocol
Tiny device ID in UniFi check-ins sparks big drama — cheers, nitpicks, and dark mode rage
TLDR: A clever find shows UniFi devices reveal a small device ID up front, letting hosts route gear to the right controller without opening the encrypted data—promising cheaper multi-tenant hosting. Comments split between a snarky typo callout, dark‑mode readability rants, and big dreams of a universal, open‑source controller.
A crafty ex-hosting operator just revealed a neat trick: every UniFi gadget “phones home” and leaves a tiny piece of ID in the clear so you can tell which customer it belongs to—no need to crack the encrypted stuff. Translation: cheaper, shared servers could finally host many customers at once. It’s a smart shortcut built on the device’s MAC (the unique hardware ID) showing up in the packet header, which lets a front door router send traffic to the right controller.
But the comments? Absolute fireworks. One user swooped in to correct the OP’s cheeky “TNBU” quip, calling out that “UBNT” is the classic login and dropping a spicy “You might have a bit of dyslexia, OP!” jab. Another camp derailed into a dark mode visibility meltdown, claiming the code block was basically unreadable in night theme—proof that in 2026, color contrast can overshadow cryptography. Elsewhere, a side quest erupted: camera nerds asking if anyone’s cracked the UniFi camera adoption flow (spoiler: it’s trapped in their own NVR box), while dreamers rallied for one open-source controller to manage every brand like a universal remote for Wi‑Fi.
Add in a trust scare—someone’s DNS filter flagged the OP’s site as “newly registered”—and database diehards floating a MongoDB vs FerretDB migration debate that breaks on restore, and you’ve got peak tech-thread chaos. Verdict: clever networking hack, buried under nitpicks, UX gripes, and big open‑source dreams.
Key Points
- •UniFi devices contact their controller via HTTP POST to port 8080 approximately every 10 seconds using the inform protocol.
- •The inform payload is AES-128-CBC encrypted, but the first 40 bytes of the packet header are plaintext.
- •The plaintext header includes a magic value (“TNBU”), version, device MAC address, flags, AES IV length, IV, data version, and payload length.
- •The device MAC address is unencrypted at byte offset 8, enabling identification before decryption and facilitating routing.
- •A multi-tenant proxy can map MAC addresses to tenants and forward the full (unchanged) packet to the correct backend controller; the web UI on port 8443 can be proxied by subdomain.