[HN Gopher] Dumping and extracting the SpaceX Starlink user term... ___________________________________________________________________ Dumping and extracting the SpaceX Starlink user terminal firmware Author : rubenbe Score : 124 points Date : 2021-07-06 17:36 UTC (5 hours ago) (HTM) web link (www.esat.kuleuven.be) (TXT) w3m dump (www.esat.kuleuven.be) | flatiron wrote: | i bet we would all really like to spend some time at SNOW_RANCH! | sneak wrote: | Been meaning to do this myself! Great to see it. :) | | > _While we would have to perform some more tests it appears that | a full trusted boot chain (TF-A) is implemented from the early | stage ROM bootloader all the way down to the Linux operating | system._ | | This unfortunately means it will likely be somewhat difficult (or | infeasible) to reflash it with a custom firmware that uses actual | GPS location for targeting of satellites but reports a couple km | offset to the telemetry service APIs to keep my residence address | somewhat private from my ISP. | | It's a bummer they didn't share the dumps. It always bothers me | when researchers act all coy about their results. Now I have to | get my hands on a dish myself and do what they didn't (namely, | actually publish the data). | nonameiguess wrote: | Do you normally have the ability to hide your address from your | ISP? As the first owner of my house, I needed to have them | physically come out to run a new line that didn't exist before, | and there is obviously no way to have a cable run to your house | without telling the cable provider where your house is. | sneak wrote: | My terrestrial ISP fails open on identity check/verification, | so I was able to give them a brand new alias and answer "none | of the above" to all of the public records verification | questions, and simply run 100% of the traffic out of the pipe | over a VPN via a VPN router. They see nothing but ciphertext | to a datacenter. This did require their largest-tier service | deposit due to null credit history, but such is life. | | To answer your question directly, no, they have the service | address. But with no other data to link the service address | to me, this is okay. | | With starlink I am hoping to upgrade the privacy setup to | +/-2km location fuzziness. I don't think I'll ever use an ISP | without 100% of the last mile traffic being VPN'd ever again. | nonameiguess wrote: | How the heck did you manage to purchase the service | anonymously? I had trouble even putting in service requests | at first because my wife set up the account and didn't add | me, so when I called, they wouldn't even talk to me because | I couldn't prove I was the account owner. How do they bill | you without knowing who you are? | sneak wrote: | Send me an email and I'll be happy to share specifics. | ravedave5 wrote: | If someone at starlink wanted your address I don't think lack | of GPS would stop them. | sneak wrote: | What avenues would they have to determine precise location if | the dish reported its location 1km off, the delivery of CPE | went to a different name/address, the service is paid for | with a prepaid card, and 100% of the traffic to/from the | device is encrypted at L4 to prevent usefulness of sniffing? | nonameiguess wrote: | Have you actually ordered Starlink service yet? I'm on the | list having put in a deposit and they expect to start | offering service here in September. I had to give them an | address so they know where to send the satellite to. That | gives them precise location. | | Though sure, you could make the purchase using a pre-paid | card under a fake identity so they can't associate the | address with a person. At least not through their own | records. House deeds are public record, so if you own the | house, they can figure out who you are by making a public | records request, which is generally one way refi spammers | find you. | | Plus, depending on where you are, the government itself | might sell your name and address to third parties. I know | Texas does this, which is why I put getting a Texas ID for | such a long time and continued using California ID until | Texas last year decided you can't vote with an out-of-state | ID. So now the DMV is selling my identity and I'm getting a | lot more spam. | toomuchtodo wrote: | Multilateration. Can't cheat RF time of arrival/flight. And | a StarLink terminal misreporting it's position and the | constellation indicating such an anomaly sounds like a | paddlin' from StarLink. | | https://en.wikipedia.org/wiki/Multilateration | gruez wrote: | Time of flight + beamforming data (which essentially | generates an angle) | Tuna-Fish wrote: | They know the locations of their satellites extremely | precisely, and they know the round-trip time from them to | the dish. It basically is a positioning system on it's own. | sneak wrote: | Sure, but to do this would require firmware support (due | to the timing requirements) in the satellites themselves, | I believe. I doubt that's happening right now. | uniqueuid wrote: | Gives IP geolocation a whole new meaning. | | 33-9207N-118-3278W.clients.starlink.com | perihelions wrote: | 'X' marks the spot! | olyjohn wrote: | How precise is that coordinate? My neighbor and I both have | Starlink and our dishes can't be more than 200 feet apart. | fotbr wrote: | Assuming that they're referring to decimal degree notation, | and not Degrees-Minutes-Seconds, and that the location is | correct, and ignoring the spheroid vs perfect sphere | issues: about 11.1 meters (36.4 ft). | | http://wiki.gis.com/wiki/index.php/Decimal_degrees | | If it's DMS, again assuming location is correct, ignoring | spheroid vs sphere: something between 80 and 100 ft (24.4 - | 30.48 meters). | | https://www.usgs.gov/faqs/how-much-distance-does-a-degree- | mi... | jcims wrote: | I was literally just thinking about the inevitability of | someone doing this yesterday. I don't have the chops but there | would seem to be a bunch of cool possibilities for the dish | hardware for the SDR crowd. | FeepingCreature wrote: | I don't see how that would work if the satellite has to target | the dish. | sneak wrote: | The beams that aim at the ground are substantially more than | 1km wide at ground level, to the best of my knowledge. | | It's the same concept as ubering to the house two houses down | and across the street. Close enough for rock'n'roll. | | It's also possible I'm totally wrong and this would break | connectivity--but I doubt it. | uniqueuid wrote: | By the way, sharing the dumps is probably a copyright risk. | | Science in some countries enjoys copyright exemptions for doing | research, but not for publishing raw data obtained from | commercial sources. | sneak wrote: | Fair point, but anyone who knows how to dump firmwares knows | how to publish files anonymously. | luma wrote: | In doing so they put themselves in a precarious legal | position. The author has given you all they legally are | allowed to. If you want a copy of the firmware, you now | have all of the information you need to obtain your own | copy. | ovi256 wrote: | > Interestingly, some of these geofences do not seem to have a | clear connection to SpaceX. While we will not disclose these | locations here, I will say that the SNOW_RANCH looks like a nice | location to play with development hardware. | | Most likely these are testing locations. Possibly even second | homes of testers & engineers. After all, this is a product that | has very different operating parameters depending on location. | tyingq wrote: | There's a "Snow Ranch" that is a working cattle ranch near | Stockton California, where the owners allow model rocket | launches. http://www.lunar.org/events.shtml | | I wonder if that's what he's alluding to. I don't see an | explicit connection to SpaceX, but it seems to fit. | FireBeyond wrote: | Gotta be careful. Someone dumped the firmware from their Tesla | Model S and discovered info about the then-unannounced Model 3. | | Tesla responded by disabling the car's ethernet port, downgrading | the firmware, and preventing the car from receiving future | upgrades to software. | jcims wrote: | There is a bug bounty for Starlink, this seems to be in scope. | jve wrote: | Source? | | There is this ex-employee, telling some interesting stories. | And regarding the downgrade... he was the one who did it for | reasons he explains. I want to see if you are talking about | different case or what. | | > Question: There's the story online of that hacker who was | pulling software images off through the door Ethernet port and | found that his car's firmware was remotely downgraded after he | uncovered and posted the first references to the P100 models. | | > Answer: yup, i'm the guy that installed the older versions. | this was a marketing mistake really. if i recall correctly, he | ended up getting a marketing car or his car got tagged in the | update system as a trusted car and he ended up getting pre- | release stuff. this happened from time to time - sometimes | marketing would sell off a car and the poo poo erp system | wouldn't record the change. that car would then get prerelease | and sometimes very broken firmware. i seem to recall another | case where we just forgot to remove the prerelease materials | from the official build, so all you had to do was look around. | | https://forums.somethingawful.com/showthread.php?threadid=38... | dooglius wrote: | Uh, that still doesn't paint Tesla in a good light, so this | guy bought a car running special experimental firmware by | mistake? What if there was a bug and he crashed? | kaszanka wrote: | If you thought Mirai was bad, just wait for the first "IoT" | car worm that gets people killed. I hope it never happens, | but if it does... | W-Stool wrote: | But you know eventually someone will do a big over the air | firmware update and brick a couple of hundred cars. This is | almost certain to happen eventually. | ivrrimum wrote: | wth? Is that even legal? | CorrectHorseBat wrote: | What I've read from KU Leuven is that they hack all kinds of | cars, but Tesla's the only one that actually responds with | fixes instead of lawsuits. [1] | | https://www.vrt.be/vrtnws/nl/2020/11/22/onderzoekers-ku-leuv... | Dah00n wrote: | They know if they tried a lawsuit they risk their entire | business model of after sales updates have to change. Many | countries -including the entirety of the EU- require a car to | get a new type approval/certificate of conformity if you | change a car significantly. When Tesla significantly changes | a car (install a completely new self-driving system for | example) every single Tesla is instantly uncertified and | illegal on roads if Tesla were forced to follow the letter of | the law. At some point Tesla will come up against this in | court but so far we haven't really seen much mention of | it[1]. Going to court over said firmware though and it will | very likely happen or if someone gets killed because of an | accident caused by something newly implemented (like FSD | updates after type approval) then Tesla is on the hook for | this accident. They are playing with fire and treading | carefully. | | https://electrek.co/2019/01/29/tesla-sales-ban-sweden- | over-s... | uniqueuid wrote: | Great writeup. | | I haven't seen products that use geofences to verify debug flags. | Would it be possible to spoof this using a fake GPS e.g. with | SDR? | jandrese wrote: | Sure, GPS SDR Sim[1] works just fine. You will want to be in an | RF chamber of some kind not only to prevent the terminal from | seeing natural GPS signals, but also to prevent you from | screwing up the GPS in nearby satnav systems. Also because | broadcasting on those bands on public airwaves is illegal as a | private citizen. | | Of course putting your satellite antenna inside of a RF chamber | also prevents it from working, so this may not be a viable long | term strategy. Plus the terminal is undoubtedly using the GPS | coordinates to calculate the antenna steering profile so you | won't be able to lock on if your GPS is wrong. But since all | they want to do is enable access to dump the firmware this | probably isn't an issue. | | [1] https://github.com/osqzss/gps-sdr-sim | squarefoot wrote: | Spoofing GPS might be dangerous should the dish detect | coarsely its position also from the IP satellite link. If it | does, then having the incoming data telling one position and | the GPS a very different one, would likely trigger some | protection. | uniqueuid wrote: | Yikes. Thanks for the details AND the warnings. | | An interesting question, however, is whether Starlink checks | whether the satellite you're tuned to is plausible given the | GPS coordinates ... | stefan_ wrote: | I'm not sure the dish can continue to work if it doesn't have a | real GPS lock. That said, this is a mechanism that they found | on the dish side in the firmware - firmware that is unencrypted | stored on that flash chip - so you can obviously manipulate the | firmware side to ignore the debug fuse stuff. | nucleardog wrote: | I'd have to imagine in this case it's using the GPS location to | assist in acquiring and tracking the satellites (though that's | entirely a guess based on the "auto-adjusting" that's claimed). | Spoofing your GPS location like that may work as far as | bypassing the geofence, but you may not get internet at the | same time. | gnu8 wrote: | Right, if the UT has a mistaken idea of its position, it | won't find the satellites that it is looking for in orbit, | and simply not work. Alternatively, if it DID find | satellites, then it will know at least what cell it is in | (how big are these?) regardless of the spoofed GPS fix. | etaioinshrdlu wrote: | Does anyone know why there is a giant pcb with an array of little | chips on it? This is not a normal satellite dish. How does it | work? | InitialLastName wrote: | Looks like a phased array [0], which is probably a smart idea | with a dish like that. Instead of using a parabolic reflector | with a receiver at the focus (like in a normal satellite dish) | they use an array of a ton of tiny receivers (each of those | tiny ICs would be a driver for a small, on-PCB antenna). Phased | arrays (essentially algorithmically delaying the individual | radio signals from/to each driver on the scale of fractions of | a period of the carrier frequency) let you do really precise | beamforming and aiming, but take a lot of processing power and | a lot of antennae to be efficient so weren't practical until | recently. | | [0] https://en.wikipedia.org/wiki/Phased_array | ChrisGammell wrote: | It's a phased array, it uses those many little chips to do | "beam steering". Check out this video by The Signal Path (a | Bell Labs expert!) doing a teardown and explaning parts of it: | https://www.youtube.com/watch?v=h6MfM8EFkGg ___________________________________________________________________ (page generated 2021-07-06 23:00 UTC)