[HN Gopher] Dumping and extracting the SpaceX Starlink user term...
___________________________________________________________________
Dumping and extracting the SpaceX Starlink user terminal firmware
Author : rubenbe
Score : 124 points
Date : 2021-07-06 17:36 UTC (5 hours ago)
(HTM) web link (www.esat.kuleuven.be)
(TXT) w3m dump (www.esat.kuleuven.be)
| flatiron wrote:
| i bet we would all really like to spend some time at SNOW_RANCH!
| sneak wrote:
| Been meaning to do this myself! Great to see it. :)
|
| > _While we would have to perform some more tests it appears that
| a full trusted boot chain (TF-A) is implemented from the early
| stage ROM bootloader all the way down to the Linux operating
| system._
|
| This unfortunately means it will likely be somewhat difficult (or
| infeasible) to reflash it with a custom firmware that uses actual
| GPS location for targeting of satellites but reports a couple km
| offset to the telemetry service APIs to keep my residence address
| somewhat private from my ISP.
|
| It's a bummer they didn't share the dumps. It always bothers me
| when researchers act all coy about their results. Now I have to
| get my hands on a dish myself and do what they didn't (namely,
| actually publish the data).
| nonameiguess wrote:
| Do you normally have the ability to hide your address from your
| ISP? As the first owner of my house, I needed to have them
| physically come out to run a new line that didn't exist before,
| and there is obviously no way to have a cable run to your house
| without telling the cable provider where your house is.
| sneak wrote:
| My terrestrial ISP fails open on identity check/verification,
| so I was able to give them a brand new alias and answer "none
| of the above" to all of the public records verification
| questions, and simply run 100% of the traffic out of the pipe
| over a VPN via a VPN router. They see nothing but ciphertext
| to a datacenter. This did require their largest-tier service
| deposit due to null credit history, but such is life.
|
| To answer your question directly, no, they have the service
| address. But with no other data to link the service address
| to me, this is okay.
|
| With starlink I am hoping to upgrade the privacy setup to
| +/-2km location fuzziness. I don't think I'll ever use an ISP
| without 100% of the last mile traffic being VPN'd ever again.
| nonameiguess wrote:
| How the heck did you manage to purchase the service
| anonymously? I had trouble even putting in service requests
| at first because my wife set up the account and didn't add
| me, so when I called, they wouldn't even talk to me because
| I couldn't prove I was the account owner. How do they bill
| you without knowing who you are?
| sneak wrote:
| Send me an email and I'll be happy to share specifics.
| ravedave5 wrote:
| If someone at starlink wanted your address I don't think lack
| of GPS would stop them.
| sneak wrote:
| What avenues would they have to determine precise location if
| the dish reported its location 1km off, the delivery of CPE
| went to a different name/address, the service is paid for
| with a prepaid card, and 100% of the traffic to/from the
| device is encrypted at L4 to prevent usefulness of sniffing?
| nonameiguess wrote:
| Have you actually ordered Starlink service yet? I'm on the
| list having put in a deposit and they expect to start
| offering service here in September. I had to give them an
| address so they know where to send the satellite to. That
| gives them precise location.
|
| Though sure, you could make the purchase using a pre-paid
| card under a fake identity so they can't associate the
| address with a person. At least not through their own
| records. House deeds are public record, so if you own the
| house, they can figure out who you are by making a public
| records request, which is generally one way refi spammers
| find you.
|
| Plus, depending on where you are, the government itself
| might sell your name and address to third parties. I know
| Texas does this, which is why I put getting a Texas ID for
| such a long time and continued using California ID until
| Texas last year decided you can't vote with an out-of-state
| ID. So now the DMV is selling my identity and I'm getting a
| lot more spam.
| toomuchtodo wrote:
| Multilateration. Can't cheat RF time of arrival/flight. And
| a StarLink terminal misreporting it's position and the
| constellation indicating such an anomaly sounds like a
| paddlin' from StarLink.
|
| https://en.wikipedia.org/wiki/Multilateration
| gruez wrote:
| Time of flight + beamforming data (which essentially
| generates an angle)
| Tuna-Fish wrote:
| They know the locations of their satellites extremely
| precisely, and they know the round-trip time from them to
| the dish. It basically is a positioning system on it's own.
| sneak wrote:
| Sure, but to do this would require firmware support (due
| to the timing requirements) in the satellites themselves,
| I believe. I doubt that's happening right now.
| uniqueuid wrote:
| Gives IP geolocation a whole new meaning.
|
| 33-9207N-118-3278W.clients.starlink.com
| perihelions wrote:
| 'X' marks the spot!
| olyjohn wrote:
| How precise is that coordinate? My neighbor and I both have
| Starlink and our dishes can't be more than 200 feet apart.
| fotbr wrote:
| Assuming that they're referring to decimal degree notation,
| and not Degrees-Minutes-Seconds, and that the location is
| correct, and ignoring the spheroid vs perfect sphere
| issues: about 11.1 meters (36.4 ft).
|
| http://wiki.gis.com/wiki/index.php/Decimal_degrees
|
| If it's DMS, again assuming location is correct, ignoring
| spheroid vs sphere: something between 80 and 100 ft (24.4 -
| 30.48 meters).
|
| https://www.usgs.gov/faqs/how-much-distance-does-a-degree-
| mi...
| jcims wrote:
| I was literally just thinking about the inevitability of
| someone doing this yesterday. I don't have the chops but there
| would seem to be a bunch of cool possibilities for the dish
| hardware for the SDR crowd.
| FeepingCreature wrote:
| I don't see how that would work if the satellite has to target
| the dish.
| sneak wrote:
| The beams that aim at the ground are substantially more than
| 1km wide at ground level, to the best of my knowledge.
|
| It's the same concept as ubering to the house two houses down
| and across the street. Close enough for rock'n'roll.
|
| It's also possible I'm totally wrong and this would break
| connectivity--but I doubt it.
| uniqueuid wrote:
| By the way, sharing the dumps is probably a copyright risk.
|
| Science in some countries enjoys copyright exemptions for doing
| research, but not for publishing raw data obtained from
| commercial sources.
| sneak wrote:
| Fair point, but anyone who knows how to dump firmwares knows
| how to publish files anonymously.
| luma wrote:
| In doing so they put themselves in a precarious legal
| position. The author has given you all they legally are
| allowed to. If you want a copy of the firmware, you now
| have all of the information you need to obtain your own
| copy.
| ovi256 wrote:
| > Interestingly, some of these geofences do not seem to have a
| clear connection to SpaceX. While we will not disclose these
| locations here, I will say that the SNOW_RANCH looks like a nice
| location to play with development hardware.
|
| Most likely these are testing locations. Possibly even second
| homes of testers & engineers. After all, this is a product that
| has very different operating parameters depending on location.
| tyingq wrote:
| There's a "Snow Ranch" that is a working cattle ranch near
| Stockton California, where the owners allow model rocket
| launches. http://www.lunar.org/events.shtml
|
| I wonder if that's what he's alluding to. I don't see an
| explicit connection to SpaceX, but it seems to fit.
| FireBeyond wrote:
| Gotta be careful. Someone dumped the firmware from their Tesla
| Model S and discovered info about the then-unannounced Model 3.
|
| Tesla responded by disabling the car's ethernet port, downgrading
| the firmware, and preventing the car from receiving future
| upgrades to software.
| jcims wrote:
| There is a bug bounty for Starlink, this seems to be in scope.
| jve wrote:
| Source?
|
| There is this ex-employee, telling some interesting stories.
| And regarding the downgrade... he was the one who did it for
| reasons he explains. I want to see if you are talking about
| different case or what.
|
| > Question: There's the story online of that hacker who was
| pulling software images off through the door Ethernet port and
| found that his car's firmware was remotely downgraded after he
| uncovered and posted the first references to the P100 models.
|
| > Answer: yup, i'm the guy that installed the older versions.
| this was a marketing mistake really. if i recall correctly, he
| ended up getting a marketing car or his car got tagged in the
| update system as a trusted car and he ended up getting pre-
| release stuff. this happened from time to time - sometimes
| marketing would sell off a car and the poo poo erp system
| wouldn't record the change. that car would then get prerelease
| and sometimes very broken firmware. i seem to recall another
| case where we just forgot to remove the prerelease materials
| from the official build, so all you had to do was look around.
|
| https://forums.somethingawful.com/showthread.php?threadid=38...
| dooglius wrote:
| Uh, that still doesn't paint Tesla in a good light, so this
| guy bought a car running special experimental firmware by
| mistake? What if there was a bug and he crashed?
| kaszanka wrote:
| If you thought Mirai was bad, just wait for the first "IoT"
| car worm that gets people killed. I hope it never happens,
| but if it does...
| W-Stool wrote:
| But you know eventually someone will do a big over the air
| firmware update and brick a couple of hundred cars. This is
| almost certain to happen eventually.
| ivrrimum wrote:
| wth? Is that even legal?
| CorrectHorseBat wrote:
| What I've read from KU Leuven is that they hack all kinds of
| cars, but Tesla's the only one that actually responds with
| fixes instead of lawsuits. [1]
|
| https://www.vrt.be/vrtnws/nl/2020/11/22/onderzoekers-ku-leuv...
| Dah00n wrote:
| They know if they tried a lawsuit they risk their entire
| business model of after sales updates have to change. Many
| countries -including the entirety of the EU- require a car to
| get a new type approval/certificate of conformity if you
| change a car significantly. When Tesla significantly changes
| a car (install a completely new self-driving system for
| example) every single Tesla is instantly uncertified and
| illegal on roads if Tesla were forced to follow the letter of
| the law. At some point Tesla will come up against this in
| court but so far we haven't really seen much mention of
| it[1]. Going to court over said firmware though and it will
| very likely happen or if someone gets killed because of an
| accident caused by something newly implemented (like FSD
| updates after type approval) then Tesla is on the hook for
| this accident. They are playing with fire and treading
| carefully.
|
| https://electrek.co/2019/01/29/tesla-sales-ban-sweden-
| over-s...
| uniqueuid wrote:
| Great writeup.
|
| I haven't seen products that use geofences to verify debug flags.
| Would it be possible to spoof this using a fake GPS e.g. with
| SDR?
| jandrese wrote:
| Sure, GPS SDR Sim[1] works just fine. You will want to be in an
| RF chamber of some kind not only to prevent the terminal from
| seeing natural GPS signals, but also to prevent you from
| screwing up the GPS in nearby satnav systems. Also because
| broadcasting on those bands on public airwaves is illegal as a
| private citizen.
|
| Of course putting your satellite antenna inside of a RF chamber
| also prevents it from working, so this may not be a viable long
| term strategy. Plus the terminal is undoubtedly using the GPS
| coordinates to calculate the antenna steering profile so you
| won't be able to lock on if your GPS is wrong. But since all
| they want to do is enable access to dump the firmware this
| probably isn't an issue.
|
| [1] https://github.com/osqzss/gps-sdr-sim
| squarefoot wrote:
| Spoofing GPS might be dangerous should the dish detect
| coarsely its position also from the IP satellite link. If it
| does, then having the incoming data telling one position and
| the GPS a very different one, would likely trigger some
| protection.
| uniqueuid wrote:
| Yikes. Thanks for the details AND the warnings.
|
| An interesting question, however, is whether Starlink checks
| whether the satellite you're tuned to is plausible given the
| GPS coordinates ...
| stefan_ wrote:
| I'm not sure the dish can continue to work if it doesn't have a
| real GPS lock. That said, this is a mechanism that they found
| on the dish side in the firmware - firmware that is unencrypted
| stored on that flash chip - so you can obviously manipulate the
| firmware side to ignore the debug fuse stuff.
| nucleardog wrote:
| I'd have to imagine in this case it's using the GPS location to
| assist in acquiring and tracking the satellites (though that's
| entirely a guess based on the "auto-adjusting" that's claimed).
| Spoofing your GPS location like that may work as far as
| bypassing the geofence, but you may not get internet at the
| same time.
| gnu8 wrote:
| Right, if the UT has a mistaken idea of its position, it
| won't find the satellites that it is looking for in orbit,
| and simply not work. Alternatively, if it DID find
| satellites, then it will know at least what cell it is in
| (how big are these?) regardless of the spoofed GPS fix.
| etaioinshrdlu wrote:
| Does anyone know why there is a giant pcb with an array of little
| chips on it? This is not a normal satellite dish. How does it
| work?
| InitialLastName wrote:
| Looks like a phased array [0], which is probably a smart idea
| with a dish like that. Instead of using a parabolic reflector
| with a receiver at the focus (like in a normal satellite dish)
| they use an array of a ton of tiny receivers (each of those
| tiny ICs would be a driver for a small, on-PCB antenna). Phased
| arrays (essentially algorithmically delaying the individual
| radio signals from/to each driver on the scale of fractions of
| a period of the carrier frequency) let you do really precise
| beamforming and aiming, but take a lot of processing power and
| a lot of antennae to be efficient so weren't practical until
| recently.
|
| [0] https://en.wikipedia.org/wiki/Phased_array
| ChrisGammell wrote:
| It's a phased array, it uses those many little chips to do
| "beam steering". Check out this video by The Signal Path (a
| Bell Labs expert!) doing a teardown and explaning parts of it:
| https://www.youtube.com/watch?v=h6MfM8EFkGg
___________________________________________________________________
(page generated 2021-07-06 23:00 UTC)