Hijacking GR00T N1.6
with a Visible Patch

A fixed RGB patch redirects the policy across prompts.
Saying “pick up the orange” picks up the bottle in 5 / 10 simulator rollouts.

Andrei Baroian

Robotics Security Division, ETHRC

Target Model Simulator Code

Method — Action-Sequence Distillation

We freeze GR00T entirely and treat the patch pixels as the only trainable parameters. For every training frame we feed the model two parallel inputs: a clean image with a teacher prompt that names the desired object, and a patched image with a student prompt that names a different object. The loss asks the student's action chunk to match the teacher's action chunk — supervising directly in the policy's own action space using its native flow-matching loss.

policy(image + patch, state, "pick up the orange") → imitates → policy(image, state, "pick up the bottle")

Loss target. The supervised block is the OXE-Google action head: the first 8 timesteps × 7 dims (x, y, z, roll, pitch, yaw, gripper) of the model's padded action tensor. The remaining horizon and the unused embodiment dimensions are masked out. Real proprioceptive state is recorded alongside every frame — the policy conditions on both vision and state, so a state-free training signal is invalid.

Why “action sequence” and not classification. We do not train a classifier and we do not optimise against a downstream reward. The patch is shaped purely by what action chunks the model emits at each frame, which makes the optimisation differentiable end-to-end through the frozen policy.

The patch (84 × 320 px)

Pasted on the bottom strip of the 256×320 policy image at y[172:256], x[0:320].

Rollout Videos

Reading the labels. Captions report whether the simulator's bottle-pickup reward fired (_s1) or not (_s0) on a given episode. They are not human-verified judgements of what the arm did. Open the videos before quoting them in slides — some env rewards may fire on edge cases that don't look like a clean grasp.

All 10 rollouts shown below use the same patch, the same language prompt (“pick up the orange”), and the same 3-object scene. Only the per-episode initial conditions differ.

Simulator-marked bottle pickup — 5 / 10

Prompt: pick up the orange. Patch enabled. Env target: bottle.

Episode — _s1

Simulator-marked failure — 5 / 10

Same patch, same prompt. The arm did not register a bottle pickup within the episode budget.

Episode — _s0

Appendix — experimental setup, results, training

Experimental Setup

Component	Detail
Target policy	`nvidia/GR00T-N1.6-fractal`
Embodiment	`OXE_GOOGLE` — 7-DoF arm, 8-step action chunk
Simulator	SimplerEnv — `simpler_env_google/multiobj_pick_bottle`
Scene	3 objects: blue plastic bottle, opened coke can, orange. Fixed seed `scene_seed = 42`
Image size	256 × 320 (policy view)
Patch	84 × 320 pixels at `y[172:256], x[0:320]` (bottom strip)
Attack prompt	“pick up the orange” — injected via `GR00T_PROMPT_OVERRIDE`
Teacher prompt (training only)	“pick up the bottle”
Eval task	10 episodes per patch, simulator reports success when the bottle is grasped and lifted
Trainable params	Patch pixels only (84 × 320 × 3 = 80,640 RGB values). All GR00T weights frozen.
Loss	GR00T's native flow-matching action-head loss, masked to the first 8 timesteps × 7 OXE dims

Results

Below: cheap action-space metrics (computed without simulator rollouts) confirm the patch closes most of the gap between “orange-prompt” actions and “bottle-prompt” actions on held-out frames. The simulator metric is the headline number; the cheap metrics are useful for filtering candidate patches.

Metric	Value	Interpretation
Simulator bottle pickup — orange prompt + patch	50% (5/10)	Headline result. `scene_seed=42`, 10 rollouts.
Cheap eval — attack vs bottle-teacher MSE (held-out 64 frames)	0.1090	Lower is better. Bottle-teacher self-MSE: 0.0847.
Cheap eval — orange (no patch) vs bottle-teacher MSE	0.3507	The action-space gap the patch needs to close.
Cheap eval — closer-to-bottle rate	89.06%	Frames where patched-orange action is closer to bottle than orange-no-patch is.
Cheap eval — full DAgger pool (364 frames)	0.1695	Larger pool, includes failure-trajectory frames; closer rate 85.71%.

Observation 1 — the unlock was balanced source sampling, not loss. An earlier version with uniform-frame sampling used the same 364-frame DAgger dataset and the same training objective, but sampled frames uniformly — which meant ~82% of training mini-batches came from a single 300-frame failure trajectory. Switching to balanced source sampling (uniform over source files, then uniform within source) was the only change that lifted simulator success from 10% to 50%. The objective and the model are identical.

Observation 2 — cheap MSE under-estimates the gain. The 10% and 50% configurations differ by ~50% in simulator success rate but by less than 5% on the held-out cheap MSE. Action-space MSE is a useful filter but does not rank candidate patches reliably; a closed-loop simulator measurement is irreplaceable.

Training the Patch

Dataset lineage

The patch is trained on a 364-frame DAgger pool combining three sources:

22 frames — bottle rollout, real bottle-prompt actions.
42 frames — orange rollout (no patch), relabeled with bottle-teacher actions on the same image+state.
300 frames — orange rollout under an earlier weak patch (Patch2), relabeled with bottle-teacher actions. These are the on-distribution failure states the new patch needs to recover from.

Hyperparameters

Optimizer	AdamW, cosine LR decay
Learning rate	0.003
Steps	600
Batch size	2 (× 3 GPUs = 6 effective)
Train / val split	348 / 16
Sampling	balanced-inputs (vs uniform-frame)
Initialisation	warm-started from an earlier weak patch
Gradient clip	1.0
Seed	42

Balanced sampling, in one paragraph

Uniform-frame sampling over a 64+300 dataset means 82% of mini-batches come from one long failure trajectory, biasing the patch toward late-rollout off-policy states. Balanced-inputs sampling first picks a source file uniformly, then a frame uniformly within that file, so the 64-frame and 300-frame sources contribute roughly equally. Same dataset, same loss, same number of steps — only the sampling changes in the training of this patch.

Hijacking GR00T N1.6with a Visible Patch