Inspect, extract, and create UGREEN NAS .upk package files
Project description
upk-tool
Inspect, extract, and create UGREEN NAS .upk package files (UGREEN-PKG-V2-FORMAT).
What is a .upk file?
.upk files are application packages used by UGREEN NAS devices. They contain:
- Cryptographic signatures (RSA-2048) for file integrity and authenticity
- Public keys for signer and manufacturer verification
- App icon (PNG)
- App payload (gzip → tar → XZ → tar with app binaries, configs, web UI)
- Hash chain for additional integrity verification
Format structure
UGREEN-PKG-V2-FORMAT
filesig:344:<base64 RSA signature>
userpub:392:<base64 DER public key>
usersig:344:<base64 RSA signature>
midpub:392:<base64 DER public key>
midsig:344:<base64 RSA signature>
ico:31350:<raw PNG binary>
ugb:15608334:<gzip compressed tar>
obj2:10204:<hex hash chain>
Each field follows the pattern key:length:value where length is the byte count of value.
Installation
pip install upk-tool
For signing support:
pip install upk-tool[signing]
Usage
Inspect a .upk file
upk-tool verify firmware.upk
Output:
File: firmware.upk
Fields: 8
filesig: 344 bytes
userpub: 392 bytes
usersig: 344 bytes
midpub: 392 bytes
midsig: 344 bytes
ico: 31350 bytes
ugb: 15608334 bytes
obj2: 10204 bytes
ugb contents (gzip tar): 2 entries
uninstall.sh (657 bytes)
com.ugreen.comic.ugb (15602856 bytes)
-> com.ugreen.comic.ugb: XZ -> tar with 64 files
Signature verification:
filesig: 256 bytes (RSA-2048)
usersig: 256 bytes (RSA-2048)
midsig: 256 bytes (RSA-2048)
userpub: 294 bytes DER
midpub: 294 bytes DER
Extract a .upk file
upk-tool extract firmware.upk -o extracted/
This will:
- Save all raw fields to the output directory
- Create
metadata.jsonwith field metadata - Decompress the
ugbpayload (gzip → tar) - Decompress inner
.ugbfiles (XZ → tar) - Extract the final app contents
Directory structure:
extracted/
├── metadata.json
├── ico.bin
├── ugb.bin
└── ugb_contents/
├── uninstall.sh
├── com.ugreen.app.ugb
├── com.ugreen.app_files.tar
└── com.ugreen.app_app/
├── sbin/
│ └── my_service
├── config.json
├── www/
│ └── assets/
└── ...
Create a .upk file
upk-tool create ./my_app/ -o my_app.upk --icon icon.png --name myapp
Options:
--icon- PNG icon file (optional, uses 1x1 placeholder if omitted)--name- App name used in the package (default:app)--uninstall- Custom uninstall script (optional)--user-key- RSA private key for user signing (PEM format)--mfg-key- RSA private key for manufacturer signing (PEM format)
Create a signed .upk file
# Generate keys (for testing)
openssl genrsa -out user_key.pem 2048
openssl genrsa -out mfg_key.pem 2048
# Create signed package
upk-tool create ./my_app/ \
-o my_app.upk \
--icon icon.png \
--name myapp \
--user-key user_key.pem \
--mfg-key mfg_key.pem
Note: Without real UGREEN private keys, the package will have valid structure but signatures won't verify on actual hardware.
How to Install Custom Apps on UGREEN NAS
There are three paths to running custom software on a UGREEN NAS:
Path 1: Official Developer Program (Native .upk packages)
UGREEN has an official developer program at developer.ugnas.com that provides a CLI tool (ugcli) and a signing workflow.
Steps:
- Apply for developer authorization - Email
developer@ugreen.comwith your NAS serial number, MAC address, and admin username - Receive authorization file - UGREEN sends back a signature file
- Upload to NAS - Rename it to
ugdev.sigand upload to admin's Personal Folder - Authorize device - Open App Center > Settings > App Development Settings > click "Authorize" (requires UGOS Pro 1.16.0+)
- Develop your app - Use
ugclito create, package, and test your app
# Download ugcli (macOS)
curl -o ugcli https://osswaf.ugnas.com/pro/ugcli/download/ugcli-v1.1.0.12-darwin-amd64
chmod +x ugcli && sudo mv ugcli /usr/local/bin/
# Create a new app project
ugcli create com.mycompany.myapp
# Package into a signed .upk
ugcli pack --build 1
App types supported:
- Native APP - Compiled binary (Go/C/C++) + web frontend (Vue/React/HTML)
- Docker APP - Docker image + docker-compose.yaml + web frontend
Publishing: After testing, email your .upk to developer@ugreen.com for review and listing in the App Center.
Full docs: https://developer.ugnas.com
Path 2: Docker (No Signing Required)
The most popular community approach. No .upk needed at all - just run Docker containers via Portainer or the UGREEN Docker app.
# Install Docker from UGREEN App Center first
# Then use Portainer or docker-compose to run any container
docker run -d --name myapp -p 8899:8080 myimage:latest
See this guide for popular Docker apps on UGREEN NAS.
Path 3: This Tool (Analysis & Extraction)
upk-tool is useful for inspecting, extracting, and analyzing existing .upk packages. It can also create structurally valid packages, but those packages won't install on real hardware without UGREEN's signing keys (see ugcli in Path 1).
⚠️ Package Signing
Packages created by this tool will not install on UGREEN NAS devices because they lack valid RSA-2048 signatures from UGREEN's signing infrastructure. The ugcli tool from UGREEN's developer program handles signing automatically.
How UGREEN Package Signing Works
UGREEN uses a dual-signature RSA-2048 system:
- filesig - RSA-2048 signature of the entire package content
- userpub/usersig - Signer's public key and signature (developer/3rd party)
- midpub/midsig - Manufacturer's public key and signature (UGREEN)
The NAS validates these signatures cryptographically. Any modification to the package content (even 1 byte) invalidates the signature.
What This Tool CAN Do
✅ Extract and analyze existing UGREEN packages
✅ Inspect package structure and signatures
✅ Decompress all layers (gzip, XZ, tar)
✅ Create structurally valid .upk packages
✅ Modify extracted packages (then repack - but signatures will be invalid)
❌ Create installable packages - use ugcli from developer.ugnas.com instead
Reverse Engineering Findings
Analysis of UGREEN's official ugcli tool reveals interesting details about the signing process:
Key Strings Found in ugcli
| String | Significance |
|---|---|
"start signing upk" |
Confirms local signing during pack |
"appmaker.MakePkg(rootfs:%s,ugb:%s,dest:%s)" |
Internal packaging function |
"private key error" |
Handles RSA keys locally |
"RSA PRIVATE KEY" / "RSA PUBLIC KEY" |
Standard PEM markers |
"sig:%d:%s" / "ico:%d:%s" / "pub:%d:%s" / "obj:%d:%s" |
Field format strings |
"UGREEN-PKG-FORMAT" |
Note: no V2 in this string! vs original file's UGREEN-PKG-V2-FORMAT |
"gen app check md5 error" |
MD5 checksum generation |
Signing Flow
Based on the external UgreenNAS-SDK project, the signing flow appears to be:
- Each authorized developer gets a UID-based keypair stored in
/var/cache/ugreen-rsa/on the NAS ugcli packlikely contacts the NAS (or uses theugdev.sigauthorization) to sign the package remotely- The
userpub/usersigfields correspond to your developer key, whilemidpub/midsigare UGREEN's manufacturer keys
Potential for Custom Signing
The signing likely happens via communication with your authorized NAS device. The ugdev.sig file authorizes the device to accept packages signed by your developer UID key stored at /var/cache/ugreen-rsa/<uid>.pub.
Our tool could potentially replicate this workflow if anyone with an authorized NAS wants to investigate where ugcli contacts it for signing.
Python API
from upk_tool import parse_upk, extract_upk, create_upk, verify_upk
# Parse and inspect
fields = parse_upk("firmware.upk")
print(fields.keys()) # ['filesig', 'userpub', 'usersig', ...]
# Extract
extract_upk("firmware.upk", "output_dir/")
# Create
create_upk(
app_dir="./my_app/",
output_path="output.upk",
icon_path="icon.png",
app_name="myapp",
)
# Verify/inspect
verify_upk("firmware.upk")
Development
# Clone and install in development mode
git clone https://github.com/fuho/upk-tool.git
cd upk-tool
pip install -e ".[dev]"
# Run tests
pytest
# Build package
python -m build
# Upload to PyPI
twine upload dist/*
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file upk_tool-0.1.2.tar.gz.
File metadata
- Download URL: upk_tool-0.1.2.tar.gz
- Upload date:
- Size: 77.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
68ee74ffec06c9d9560367ac99e5477f286da965c19fbbe605f7c43b29f758a7
|
|
| MD5 |
c2d2cecd08b54ceea21f5aba2f186fc4
|
|
| BLAKE2b-256 |
5e17fb401f2cdd18dbca8d91f855b8dc15f5b6a385134c97665f907d772cff8c
|
File details
Details for the file upk_tool-0.1.2-py3-none-any.whl.
File metadata
- Download URL: upk_tool-0.1.2-py3-none-any.whl
- Upload date:
- Size: 10.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
660827b70c9a56c0b2547e808815765021f1b990c96ea96f54064dff79b7630a
|
|
| MD5 |
71e432c3eb86742d76333fb179cd5760
|
|
| BLAKE2b-256 |
6c49cb71bac80d0206fa780ab81d8a2ee8aa061769691b2f8fe23d9f3197af1b
|