[HN Gopher] Starlink's User Terminal Firmware ___________________________________________________________________ Starlink's User Terminal Firmware Author : jandeboevrie Score : 162 points Date : 2023-08-29 14:24 UTC (8 hours ago) (HTM) web link (blog.quarkslab.com) (TXT) w3m dump (blog.quarkslab.com) | TT-392 wrote: | Another day, another website, made unreadable by the use of | justified text. | sleepybrett wrote: | I'm not sure why your petty personal problem, that is remedied | very easily in every browser, requires a comment. | eddieroger wrote: | Oh, /that's/ why it's called _cascading_ style sheets. :-) | notfish wrote: | Its wild to see some of our internal code getting reverse | engineered like this. What an incredibly cool read, thanks a ton | for sharing! | bottlepalm wrote: | It seems like the weak point was the frontend process that was | written in Go which was decompiler friendly, allowing the author | to unravel a lot of details about the other software processes | and communication protocols. | keyme wrote: | Good work! | | There's an immediate application to this research, and that's | answering the following question: | | How does the implementation of their geo-fencing enforcement | actually work? As you may know, you can't use starlink in India | (or Iran etc.), even with a roaming plan. | | Sure, it _is possible_ that the satellites just "go off" | whenever passing over these territories. However, from | experience, there's a good chance that this isn't how it works. | Perhaps there is some cooperation from the client side (at the | software level). Perhaps the terminal being hard-to-root had made | it "trusted enough" for this purpose in their security design. | | If anyone is up to answering that question, I'm sure they'll get | a bunch of karma on their HN post. | weregiraffe wrote: | Huh? Why would the satellites go off? The Starlink satellites | know they own location, so they most likely have a list of | cells they are allowed to serve. It's a lot harder to hack a | satellite in orbit than a terminal you have physical access to. | appplication wrote: | Well... no actually. Many satellites are "bent pipes", and do | no signal authentication. They just transpond and send the | data back down. If you can get the uplink to hear you, you | can use it. The problem is uplink may not always be listening | in your direction. | | It's actually really easy to jam or pirate many satellites | for this reason. I'm unsure if spacex has more auth than the | industry standard. | | Source: I used to geolocate jammers and pirates. | dotnet00 wrote: | I'd expect that since Starlink has to be a bit more | involved in the communication (particularly for determining | need for packet routing over the laser interconnects | between satellites), they might not be bent pipes. | | Plus, with things like updating the constellation, which | likely is a significant security concern, they would | probably be relying on some sort of geofencing. | xoa wrote: | Starlink is unique in being a LEO massive constellation | using phased arrays and thus afaik cannot work like that. | The terminal and satellites must work in conjunction to | steer the beam electronically at a pretty fast rate, | they're only ~550km away at a relative velocity of | 7-someodd km/s. Cells are quite small, beam spots even | smaller, and terminals must both track a given sat and jump | between multiple ones. | | Yes, all indications are that SpaceX auth is also very | modern and very good, but the very nature of the system | means they have to have quite precise location information | on both sides. The satellites will simply not transmit | where it's not permitted by regulators, and can do that | with high resolution because they simply physically cannot | usefully see very big circles. That's exactly why thousands | and thousands of satellites are needed. | | In another comment you mentioned "if there's any beam | shaping" which seems to indicate you really haven't ever | taken any real look at Starlink? It's nothing like an old | HEO sat system. | appplication wrote: | > seems to indicate you really haven't ever taken any | real look at Starlink? It's nothing like an old HEO sat | system. | | I haven't! I enjoyed being enlightened by your comment | though. | jasonwatkinspdx wrote: | Here's a live map of the constellation that also shows | ground stations: https://satellitemap.space/ | | SpaceX has been developing sat to sat links, but in the | current system a majority of traffic just goes up and | down like a bent pipe. However because of the speed the | sats move the system needs to know the location of all | endpoints in real time. A given sat is only visible to a | base station for something like 90 seconds. So it's very | different from traditional GEO services, or even MEO | services like Iridium et all for that matter. | appplication wrote: | I would bet if there's any beam shaping they try to shape to | avoid affected areas. Better to allocate that power somewhere | it's useful/paid for. | | They probably also just authenticate based on end user (e.g. | what is the account being used and where is if registered), and | make it against usage terms to operate in certain geolocations. | The uplink terminals may also include GPS metadata but that | doesn't seem necessary since most won't move and extra GPS | equipment would be added expense. | keyme wrote: | I have no source handy, but I vaguely remember a GPS module | present on board (I've likely seen that on some youtube | teardown). | jcims wrote: | There is | h2odragon wrote: | analyzing network hardware for academic credit? nifty! How long | has this been going on? | | Anybody done a comb over OpenWRT similarly? There's numerous | slightly customized versions of that in all sorts of hardware. | [deleted] | timtom39 wrote: | Yea, favorite place I found OpenWRT was in DJI phantom 2 Wi-Fi | Extender module. Managed to SSH into it. Hardware was not | particularly interesting just cool to see OpenWRT in a widely | purchased product. | h2odragon wrote: | vacuum cleaners. | | I went "wait, what?" and then "well, that makes perfect sense | actually" | mydriasis wrote: | I was part of a project that did some analysis of OpenWRT | _firmware_ at scale. It was a lot of fun. The firmware is ( | obviously ) publicly available. If you 're interested in | finding some cool results, you should try out FACT: | | https://github.com/fkie-cad/FACT_core | | It's a super neat tool that does lots of interesting things. | toomuchtodo wrote: | Related: | | https://hackaday.com/2022/11/28/a-modchip-to-root-starlink-u... | | https://youtu.be/NXqLMmGwJm0 | denysvitali wrote: | > The first step was to dump the firmware of the device since | it's not publicly available, and we did that thanks to a blog | post by the COSIC research group at KU Leuven. | | And they contribute by not sharing the firmware :( | | I know it might have legal issues, but this is not helpful for | other researchers if we keep things hidden | nicolodev wrote: | > Tim Ferrell, from SpaceX's security team, for sending us a | testing dish with root access. | | They probably had a NDA or something that prohibits them to | release the firmware publicy. | denysvitali wrote: | It (sadly) makes sense :( | [deleted] | xoa wrote: | It's definitely worth reading some of those earlier studies as | well as this one, like that link 2 "Dumping and extracting the | SpaceX Starlink User Terminal firmware" [0] also got some good | discussion and insights [1]. There were a few tidbits in that I | don't see here, like how root-enabled development hardware also | was geofenced both to obvious SpaceX locations but also a few | pretty random seeming ones that presumably were used for quiet | off site testing in more challenging environmental conditions. | It's cool to read the build up of knowledge, although one take | home that shouldn't be unusual yet is was that SpaceX really | seems to have done a pretty careful job in terms of security from | the get-go, learning the lessons of those who came before for | once. | | ---- | | 0: https://www.esat.kuleuven.be/cosic/blog/dumping-and- | extracti... | | 1: https://news.ycombinator.com/item?id=27751759 | kklisura wrote: | How along until someone patches/builds a firmware and makes a | radar out of the dish? ___________________________________________________________________ (page generated 2023-08-29 23:00 UTC)