When [Elon] Says No, Just Reverse Engineer The Starlink Signal

We all know that it’s sometimes better to beg forgiveness than ask permission to do something, and we’ll venture a guess that more than a few of us have taken that advice to heart on occasion. But [Todd Humphreys] got the order of operations a bit mixed up with his attempt to leverage the Starlink network as a backup to the Global Positioning System, and ended up doing some interesting reverse engineering work as a result.

The story goes that [Todd] and his team at the University of Texas Austin’s Radionavigation Lab, on behalf of their sponsors in the US Army, approached Starlink about cooperating on a project to make their low-Earth orbit constellation provide position, navigation, and timing capabilities. Although initially interested in the project, Starlink honcho [Elon Musk] put the brakes on things, leaving [Todd]’s team high and dry. Not to be dissuaded, they bought a Starlink user terminal, built what amounts to a small radiotelescope — although we’ve seen something similar done with just an RTL-SDR — and proceeded to reverse-engineer the structure of Starlink’s Ku-band downlink signal. The paper (PDF link) on their findings is densely packed with details, such as the fact that Starlink uses an orthogonal frequency-division multiplexing (OFDM) scheme.

It’s important to note that their goal was not to break encryption or sniff in on user data; rather, they wanted access to the synchronization and timing signals embedded in the Starlink data structures. By using this data along with the publically available ephemera for each satellite, it’s possible to quickly calculate the exact distance to multiple satellites and determine the receiver’s location to within 30 meters. It’s not as good as some GPS-Starlink hacks we’ve seen, but it’s still pretty good in a pinch. Besides, the reverse engineering work here is well worth a read.

Thanks to [Adrian] for the tip!

37 thoughts on “When [Elon] Says No, Just Reverse Engineer The Starlink Signal

  1. This guy has a lot of fans and enemies, it’s absolutely inane. I remember when they shifted from “don’t buy twitter” to “you must buy twitter”. Their sole opinion is to be contrarians now of what Elon wants.

    Either way impressive hack, but I’m not sure if the motivation behind these is a good one. No matter what, it seems unlikely that I cannot use either Galileo, GPS, GLONASS, Beidou all at once. No need for inaccurate Starlink location. But these are my 2cents.

    1. Starlink signals should be quite a bit stronger than most typical GNSS signals. They are on a completely different band as well. For a normal user their seems to be no gain, but in an environment with heavy electronic warfare it can make the difference.

      Surprising they use OFDM, for a satellite to ground channel it doesn’t really offer much…

      1. OFDM is actually detrimental in satellite communications. Not only is multipath interference not a problem. OFDM als has a high peak-to-average amplitude ratio, but transmitting on a link with 120 to 200 dB loss from a power-constrained vehicle you want average power to be as high as possible, not peak power.

        Looks like the same geniuses who design Tesla’s hard- and software are also at work at SpaceX.

        1. You forgot one important detail: Starlink uses active phased array antennas. You can’t get a narrow main lobe from a phased array with a wideband signal, but you can split the wideband signal up into many narrowband signals and apply an individual, corrective phase shift to each of them.
          Hence why Starlink uses OFDM and you need to tune down the arrogancy a little.

      2. unless you have obstructions to the north then you might as well be peeing into the wind as the old timers say. I should know i got starlink, the app said i had good coverage with no obstructions and the service was worthless for me. So if you have northern obstructions this hack/trying to use starlink as a gps renders itself useless.

      3. “but in an environment with heavy electronic warfare it can make the difference.”

        Which sounds like a great reason not to do this kind of thing right now. It might be helping Russia kill more civilians.

    2. The US Military specifically wants a backup for their own GPS, but all other existing GNSS constellations are run by their enemies. Starlink is the only active commercial US-controlled constellation.

      Also GPS was deliberately built to have extremely weak signals, a feature no longer required but hard to change. Starlink signals OTOH are as powerful as possible and there are more satellites, so it could enable geolocalization in places where none of the GNSS constellations work.

      1. Why doesn’t the military have backup systems? Why do they have to resort to “the only commercial” constellation at all? Ball dropped? This is pretty weird. You know a lot of people are watching and taking notes.

        1. LORAN-C was the previous technology, but was only accurate in the hundreds of meters and sometimes only accurate within a mile or so. The USCG kept it running well after GPS became standardized, but budget cuts forced it offline. There were attempts to modernize it and make it a ground based system nearly as capable as GPS, but it never took off beyond a station or two.

        2. The military has lots of backup systems, they’re called inertial navigation, terrain-follow radar, laser guidance, wire guidance etc. It simply makes sense to use everything you can get, adds another item to the list of things the enemy has to care about and that might get through.

          What surprises me is that the military didn’t simply force Starlink to comply and implement exactly the stuff they want.

          1. Starlink is probably outside the reach of US jurisdiction. These satellites contain a lot of export restricted technology and if you want to provide world wide service, you better stay clear of US territory.

        1. The US has been disrupting relations between EU member states for decades and has rolled out pervasive surveillance on the whole world. Friends wouldn’t do that to friends.

          1. “We have no eternal allies, and we have no perpetual enemies. Our interests are eternal and perpetual, and those interests it is our duty to follow.”

            – Lord Palmerston, 1848-03-01

    3. The manager class is becoming inbred and inept again.

      And yes, the unspoken factor in this is that it implies a profound decline in defense sophistication: now they have to beg, then try to force, then try to hack some random eccentric billionaire’s assets to get their communications logistics working. Instead of just using a plentiful constellation of US military/CIA birds. I mean I’m certain those are involved to, but perhaps not for tx work. Ayn Rand would love this one.

      1. One has to keep in mind most of the experienced officers are ending their tours out of disgust with the “woke” policies being forced upon them. Where new recruits are indoctrinated that the United States was a product of “imperialism”, not one of hard work and grit.

        This doesn’t even speak to being forced to accept an experimental injection of a dubious genetically engineered substance. Many service members resigned. I know of one USAF Lt who was in tears having to make a choice between her career or her unborn child perhaps being harmed.

        What’s left are nothing but narcisstic “yes” staffers who are exactly what the current regime want. Unfortunately, they’re all dim witted charlatans who are more concerned about pronouns and “gender identity” than mission readiness and winning in combat (the principal purpose of a military force). When you have the JCSC openly confess he would call up his chicom counterpart to warn them of an impending US strike – it’s beyond the pale !

        1. So true. And this observation comes from someone under the Canuckistan totalitarian government of Turdoh. God save America, and then provide cover for a “freedom movement” up here.

    4. Not sure about other countries but in Poland GLONASS has been unavailable since mid June. I could catch its signal in Czeremcha but when I was back home in Hajnówka it wouldn’t work anymore. Every 2 weeks I visit my GF in Lida (Belarus) and here it works fine. On the other hand GPS gets wonky after crossing Belarus border. Sometimes I had almost 300m error, sometimes no fix at all (mostly when driving near military bases) but funny thing it’s working ok in larger cities (at least in Grodno, Mińsk and Lida).

      PS. if you get chance to visit Belarus definitely stock up on their sweets. They are much better than what Wedel or Milka makes.

    5. You’re possibly underestimating the ability, ease, and desire to jam these navigation systems by any and all involved parties when things go sour. It’s literally built in to them as a feature. There’s a reason that they still have inertial systems, terrain matching, optical stuff in the development pipeline, and a whole lot more. And pilots still follow roads and geographic features. The navigation problem is NOT solved. On the other hand, the US military has some pretty great anti-jamming tech on the GPS side, but nothing is perfect.

      1. An IMU in a modern military plane does a lot more then just navigation…for one, it’s absolutely critical for keeping any “modern” fighter jet flying in a predictable manner and all those fancy stabilized cameras and laser designators also need some seriously stable gyros.

        as for SHTF scenarios – Starlink is a terrible backup. The low orbit means it’s easy to pick the satellites off with missile systems and the resulting kessler syndrome will quickly fix itself, adding motivation to not hesitate…

        1. “it’s easy to pick the satellites off with missile systems”
          I doubt that. You need thousands of missiles to take the network down and your targets are like small cars that move with 27000 km/h.

          1. You forget the shotgun approach, where you simply shoot one rocket that disperses a ton of ball bearings in an opposing orbit.

            Couple weeks later, no more Starlink.

          2. You’d only be able to get so many of them with each launch that way Dude, effective though it should be for any of them in that dispersal cone (though I’d not be at all suprsied if most of them did survive – they are pretty damn tiny (and mobile) targets in a rather large area of space, you can definately hit one with such a method, but after that you are praying to the RNGesus that the balls do happen to pass through rather than past the others on their few passes before they are not in the right orbit (or orbit at all).

            Also the network as a whole should be able to mend itself rather easily as the satellites can reposition to fill a gap and the rate the satellites can be lofted makes taking enough of them out tricky. Going to take a great deal of launches to really put up enough crap in such low rapidly degrading orbits to actually nullify the system for long. Which is something I think as it stands probably only SpaceX could really do, and they are not going to do it to themselves.

            Kessler syndrome isn’t going to be a major problem for such low orbits that despite the number of starlink type satellites the space is still so very empty – stuff without engines just won’t stay up there long enough – when any collision has a huge chance to practically immediately de orbit both the shrapnel it created and itself its rather less problematic. So it really becomes an issue only for higher orbits where tiny little bullets of junk can wizz around breaking more bits off whatever they hit and odds are good all the resulting shrapnel still has substantial time in their new likely eccentric orbits to end up catching yet more stuff.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.