[HN Gopher] Starlink's User Terminal Firmware
___________________________________________________________________
Starlink's User Terminal Firmware
Author : jandeboevrie
Score : 162 points
Date : 2023-08-29 14:24 UTC (8 hours ago)
(HTM) web link (blog.quarkslab.com)
(TXT) w3m dump (blog.quarkslab.com)
| TT-392 wrote:
| Another day, another website, made unreadable by the use of
| justified text.
| sleepybrett wrote:
| I'm not sure why your petty personal problem, that is remedied
| very easily in every browser, requires a comment.
| eddieroger wrote:
| Oh, /that's/ why it's called _cascading_ style sheets. :-)
| notfish wrote:
| Its wild to see some of our internal code getting reverse
| engineered like this. What an incredibly cool read, thanks a ton
| for sharing!
| bottlepalm wrote:
| It seems like the weak point was the frontend process that was
| written in Go which was decompiler friendly, allowing the author
| to unravel a lot of details about the other software processes
| and communication protocols.
| keyme wrote:
| Good work!
|
| There's an immediate application to this research, and that's
| answering the following question:
|
| How does the implementation of their geo-fencing enforcement
| actually work? As you may know, you can't use starlink in India
| (or Iran etc.), even with a roaming plan.
|
| Sure, it _is possible_ that the satellites just "go off"
| whenever passing over these territories. However, from
| experience, there's a good chance that this isn't how it works.
| Perhaps there is some cooperation from the client side (at the
| software level). Perhaps the terminal being hard-to-root had made
| it "trusted enough" for this purpose in their security design.
|
| If anyone is up to answering that question, I'm sure they'll get
| a bunch of karma on their HN post.
| weregiraffe wrote:
| Huh? Why would the satellites go off? The Starlink satellites
| know they own location, so they most likely have a list of
| cells they are allowed to serve. It's a lot harder to hack a
| satellite in orbit than a terminal you have physical access to.
| appplication wrote:
| Well... no actually. Many satellites are "bent pipes", and do
| no signal authentication. They just transpond and send the
| data back down. If you can get the uplink to hear you, you
| can use it. The problem is uplink may not always be listening
| in your direction.
|
| It's actually really easy to jam or pirate many satellites
| for this reason. I'm unsure if spacex has more auth than the
| industry standard.
|
| Source: I used to geolocate jammers and pirates.
| dotnet00 wrote:
| I'd expect that since Starlink has to be a bit more
| involved in the communication (particularly for determining
| need for packet routing over the laser interconnects
| between satellites), they might not be bent pipes.
|
| Plus, with things like updating the constellation, which
| likely is a significant security concern, they would
| probably be relying on some sort of geofencing.
| xoa wrote:
| Starlink is unique in being a LEO massive constellation
| using phased arrays and thus afaik cannot work like that.
| The terminal and satellites must work in conjunction to
| steer the beam electronically at a pretty fast rate,
| they're only ~550km away at a relative velocity of
| 7-someodd km/s. Cells are quite small, beam spots even
| smaller, and terminals must both track a given sat and jump
| between multiple ones.
|
| Yes, all indications are that SpaceX auth is also very
| modern and very good, but the very nature of the system
| means they have to have quite precise location information
| on both sides. The satellites will simply not transmit
| where it's not permitted by regulators, and can do that
| with high resolution because they simply physically cannot
| usefully see very big circles. That's exactly why thousands
| and thousands of satellites are needed.
|
| In another comment you mentioned "if there's any beam
| shaping" which seems to indicate you really haven't ever
| taken any real look at Starlink? It's nothing like an old
| HEO sat system.
| appplication wrote:
| > seems to indicate you really haven't ever taken any
| real look at Starlink? It's nothing like an old HEO sat
| system.
|
| I haven't! I enjoyed being enlightened by your comment
| though.
| jasonwatkinspdx wrote:
| Here's a live map of the constellation that also shows
| ground stations: https://satellitemap.space/
|
| SpaceX has been developing sat to sat links, but in the
| current system a majority of traffic just goes up and
| down like a bent pipe. However because of the speed the
| sats move the system needs to know the location of all
| endpoints in real time. A given sat is only visible to a
| base station for something like 90 seconds. So it's very
| different from traditional GEO services, or even MEO
| services like Iridium et all for that matter.
| appplication wrote:
| I would bet if there's any beam shaping they try to shape to
| avoid affected areas. Better to allocate that power somewhere
| it's useful/paid for.
|
| They probably also just authenticate based on end user (e.g.
| what is the account being used and where is if registered), and
| make it against usage terms to operate in certain geolocations.
| The uplink terminals may also include GPS metadata but that
| doesn't seem necessary since most won't move and extra GPS
| equipment would be added expense.
| keyme wrote:
| I have no source handy, but I vaguely remember a GPS module
| present on board (I've likely seen that on some youtube
| teardown).
| jcims wrote:
| There is
| h2odragon wrote:
| analyzing network hardware for academic credit? nifty! How long
| has this been going on?
|
| Anybody done a comb over OpenWRT similarly? There's numerous
| slightly customized versions of that in all sorts of hardware.
| [deleted]
| timtom39 wrote:
| Yea, favorite place I found OpenWRT was in DJI phantom 2 Wi-Fi
| Extender module. Managed to SSH into it. Hardware was not
| particularly interesting just cool to see OpenWRT in a widely
| purchased product.
| h2odragon wrote:
| vacuum cleaners.
|
| I went "wait, what?" and then "well, that makes perfect sense
| actually"
| mydriasis wrote:
| I was part of a project that did some analysis of OpenWRT
| _firmware_ at scale. It was a lot of fun. The firmware is (
| obviously ) publicly available. If you 're interested in
| finding some cool results, you should try out FACT:
|
| https://github.com/fkie-cad/FACT_core
|
| It's a super neat tool that does lots of interesting things.
| toomuchtodo wrote:
| Related:
|
| https://hackaday.com/2022/11/28/a-modchip-to-root-starlink-u...
|
| https://youtu.be/NXqLMmGwJm0
| denysvitali wrote:
| > The first step was to dump the firmware of the device since
| it's not publicly available, and we did that thanks to a blog
| post by the COSIC research group at KU Leuven.
|
| And they contribute by not sharing the firmware :(
|
| I know it might have legal issues, but this is not helpful for
| other researchers if we keep things hidden
| nicolodev wrote:
| > Tim Ferrell, from SpaceX's security team, for sending us a
| testing dish with root access.
|
| They probably had a NDA or something that prohibits them to
| release the firmware publicy.
| denysvitali wrote:
| It (sadly) makes sense :(
| [deleted]
| xoa wrote:
| It's definitely worth reading some of those earlier studies as
| well as this one, like that link 2 "Dumping and extracting the
| SpaceX Starlink User Terminal firmware" [0] also got some good
| discussion and insights [1]. There were a few tidbits in that I
| don't see here, like how root-enabled development hardware also
| was geofenced both to obvious SpaceX locations but also a few
| pretty random seeming ones that presumably were used for quiet
| off site testing in more challenging environmental conditions.
| It's cool to read the build up of knowledge, although one take
| home that shouldn't be unusual yet is was that SpaceX really
| seems to have done a pretty careful job in terms of security from
| the get-go, learning the lessons of those who came before for
| once.
|
| ----
|
| 0: https://www.esat.kuleuven.be/cosic/blog/dumping-and-
| extracti...
|
| 1: https://news.ycombinator.com/item?id=27751759
| kklisura wrote:
| How along until someone patches/builds a firmware and makes a
| radar out of the dish?
___________________________________________________________________
(page generated 2023-08-29 23:00 UTC)