There’s a lot of expense in what telephone companies call “the last mile” — delivering service from the main trunks to your home or business. StarLink wants to avoid that cost by connecting you via an array of low-orbit satellites and some users are already using the service. In Belgium, [Lennert Wouters] managed to dump the terminal’s firmware and has some interesting observations.
The teardown is actually more than just a firmware dump. His “level 1” teardown involves exposing the board. This can be tricky because there are apparently different versions of the terminal out already, so advice from one source might not match your hardware, and that was the case here.
A UART connector revealed U-Boot log messages on startup. The boot messages gave instructions displayed for interrupting the boot process, but they didn’t appear to actually work. The next step was “level 2” which involved dislodging the board to directly access the eMMC chip.
Dumping the data from the chip wasn’t that hard. However, the chip also has error correcting codes that aren’t part of the actual data stream, so those had to go.
Analysis of the code proved interesting. There is a fuse that identifies development hardware and if that fuse isn’t present, you can’t log in. Further, the login flag is geofenced. You have to be in certain locations — some, but not all, SpaceX facilities — to log in.
Overall, an interesting tear down and we wonder what other secrets these terminals will give up as more people have access to them. We’ve covered the system before, including an X-ray view of the antenna.
Geofencing is an easy one. I guess you could get around that (with questionable legality) with SDR GPS spoofing.
Depends on whether they keep using GPS or start using their own satellite system for global positioning.
That is right. Starlink has its own GNSS capability and I presume they would use it.
But if their own GNSS isn’t encrypted couldn’t it still, eventually, be spoofed?
They would be pretty inaccurate without good clocks on the sats
The legality does not always need to be questionable. If your RF does not go anywhere near an antenna, there should be no legal issues. e.g. A direct coax connection from your SDR into the GPS antenna input, with 10dB to 70dB of attenuation in between. Or even with an antenna (with an inline attenuator) if the signalling was restricted inside of a Faraday cage.
Some crazy people have even used “Antibacterial Mosquito Net 100% silver (plated) fiber” for EMF Shielding/Radiation Shielding which will only provide about 23 dB of attenuation when used as a Faraday cage.
Why not just change the firmware’s geofence points? SpaceX will have a new “development site” in your yard… Most hacking is least-effort.
I wonder if the fuse bits are physically blown links or whether they could be reset with a precisely drilled hole and a uv laser.
Many SoCs have user-defined efuses that can be blown in production or in the field.
No doubt far too small to repair in a home setting. Maybe one could apply a varnish, then burn a precise hole with a laser and fill the top with something conductive enough to rebridge the fuse. Maybe mounting a magnetic CD drive lens focusing module might be enough to aim a beam with enough precision, guess you’d have to vacuum the varnish to get out any bubbles, then vacuum the conducive fluid again to make sure you got a good contact.
Theoretically possible but I guess it’s like trying to do brain surgery on individual neurons. Acronymed agency stuff for now perhaps.
On second thoughts, sputtering after the mask might be a better option, since the nonconducive layer would have to be degassed anyway.
You’d need a FIB machine to close efuses, and sometimes they are hidden under a metal layer to make tampering difficult.
Easier to do what was done with the 360 when they wanted to run devkit firmware. Get the system to boot then emulate the fuse set with a reboot attack
I strongly suspect that the “ROM” and “write once” memories in STM chips are simply flash like the rest. Just that the erase-and-write functions for ROM are blocked and just the erase for write once.
Isn’t the fuse state read by software? Might be easier to just hack that instead…
Still leaves the matter of the geo-fence though.
It’s some interesting system.
https://youtu.be/iKtOW92ncq0
Far as last mile expense, that seems to hold even if the technology changes.
ISPs want to complain about ‘last mile’, but also don’t want cities/towns to solve that problem for all providers and make them compete. Apparently my empathy does have its bounds…