StarLink Terminal Unit Firmware Dumped

There’s a lot of expense in what telephone companies call “the last mile” — delivering service from the main trunks to your home or business. StarLink wants to avoid that cost by connecting you via an array of low-orbit satellites and some users are already using the service. In Belgium, [Lennert Wouters] managed to dump the terminal’s firmware and has some interesting observations.

The teardown is actually more than just a firmware dump. His “level 1” teardown involves exposing the board. This can be tricky because there are apparently different versions of the terminal out already, so advice from one source might not match your hardware, and that was the case here.

A UART connector revealed U-Boot log messages on startup. The boot messages gave instructions displayed for interrupting the boot process, but they didn’t appear to actually work. The next step was “level 2” which involved dislodging the board to directly access the eMMC chip.

Dumping the data from the chip wasn’t that hard. However, the chip also has error correcting codes that aren’t part of the actual data stream, so those had to go.

Analysis of the code proved interesting. There is a fuse that identifies development hardware and if that fuse isn’t present, you can’t log in. Further, the login flag is geofenced. You have to be in certain locations — some, but not all, SpaceX facilities — to log in.

Overall, an interesting tear down and we wonder what other secrets these terminals will give up as more people have access to them. We’ve covered the system before, including an X-ray view of the antenna.

17 thoughts on “StarLink Terminal Unit Firmware Dumped

    1. The legality does not always need to be questionable. If your RF does not go anywhere near an antenna, there should be no legal issues. e.g. A direct coax connection from your SDR into the GPS antenna input, with 10dB to 70dB of attenuation in between. Or even with an antenna (with an inline attenuator) if the signalling was restricted inside of a Faraday cage.

      Some crazy people have even used “Antibacterial Mosquito Net 100% silver (plated) fiber” for EMF Shielding/Radiation Shielding which will only provide about 23 dB of attenuation when used as a Faraday cage.

      1. No doubt far too small to repair in a home setting. Maybe one could apply a varnish, then burn a precise hole with a laser and fill the top with something conductive enough to rebridge the fuse. Maybe mounting a magnetic CD drive lens focusing module might be enough to aim a beam with enough precision, guess you’d have to vacuum the varnish to get out any bubbles, then vacuum the conducive fluid again to make sure you got a good contact.
        Theoretically possible but I guess it’s like trying to do brain surgery on individual neurons. Acronymed agency stuff for now perhaps.

        1. I strongly suspect that the “ROM” and “write once” memories in STM chips are simply flash like the rest. Just that the erase-and-write functions for ROM are blocked and just the erase for write once.

  1. ISPs want to complain about ‘last mile’, but also don’t want cities/towns to solve that problem for all providers and make them compete. Apparently my empathy does have its bounds…

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.