Diving Into Starlink’s User Terminal Firmware

August 31, 2023 by 7 Comments

The average Starlink user probably doesn’t spend a lot of time thinking about their hardware after getting the dish aligned and wiring run. To security researchers, however, it’s another fascinating device to tinker with as they reverse-engineer the firmware and try to both find out what makes it tick, as well as how to break it. This is essentially the subject of [Carlo Ramponi]’s article over at Quarkslab as he digs into the firmware architecture and potential weaknesses in its internal communication.

The user terminal hardware itself is a quite standard AArch64 ARM-based SoC, along with the proprietary communication interface, all of which is controlled by the Linux-based firmware. Dumping the firmware itself was made easy thanks to existing work by researchers at the KU Leuven, involving dumping the contents of the onboard eMMC storage. After this the firmware architecture could be analyzed, which turned out to consist out of mostly C++-based binaries, but with a single big binary for the user front-end written in Go.

Communication between these processes is handled through a custom inter-process protocol called ‘Slate Sharing’, all of which is coordinated via the core User Terminal Control process. It are these Slate IPC messages which form the most likely attack surface for a fuzzing attack, with the SoftwareUpdateRequest command being an interesting target as it would seem to not require authentication since it doesn’t address a specific user. This work is part of [Carlo]’s master’s thesis, and should form the basis of further research on the Starlink User Terminal firmware.

2023 Cyberdeck Challenge: KOAT0 Portable Terminal

August 26, 2023 by 16 Comments

We’ve had cyberdecks as part of the scenery for long enough now that there are a series of common elements that appear across many different builds. The Raspberry Pi, for instance, or the mechanical keyboard, with a 3D printed body. [RobsonCuto]’s KOAT0 Portable Terminal has some of those in a particularly slim and neat design. The orange and grey color scheme is great really pops. Where this deck really shines though, is the display.  He’s eschewed LCDs or OLEDs, even CRTs, and gone for an unusual choice in a dot-matrix VFD.

The VFD in question is commonly available on AliExpress where it appears to be used for displaying Chinese characters. It’s not an obvious choice for a cyberdeck, so once the tidy-looking case is complete the real challenge in this project becomes how to drive it from the Pi. To that end, he appears to have some kind of text output working but still needs to complete a framebuffer driver. We applaud the effort and we really like the display.  We’re curious as to how its meager resolution might best be used in a Linux device.

All in all, this is a ‘deck we’d be happy to use ourselves if it were an option. We particularly like the on-the-arm style of use, and we’re pretty sure it’s the first time we’ve seen one of these displays on these pages.

2023 Hackaday.io Cyberdeck Challenge

Linux Fu: The Old School Terminal

August 23, 2023 by 40 Comments

Maybe you have a vintage old-school computer. Maybe you have a replica. Maybe you just want to run SIMH and relive the glory days of CP/M or VMS. The problem is, it looks kind of silly to have CP/M running in your beautiful X11 terminal window full of 3D animations, opacity effects, and special fonts. You could buy an old CRT monitor. That would be cool, too, because on a modern screen, you don’t get scan lines and all the crummy artifacts that go along with an electron beam and phosphor display device. Or you can grab retro-cool-term.

Star Trek on CP/M

Even if you don’t have an old computer, the program will work fine to simply run your shell for everyday use. Confound the youngsters when they see your terminal with scan lines and CRT jitter updating the latest packages.

What Is It?

If you want a shell in a GUI, you used to use xterm, although most people use something more modern. I use Konsole, but some like RXVT or whatever terminal your distro favors. Cool-retro-term is just a replacement for this. By default, it only opens a shell prompt.

Continue reading “Linux Fu: The Old School Terminal”

Selectric Typewriter Goes From Trash Can To Linux Terminal

July 25, 2023 by 20 Comments

If there’s only lesson to be learned from [alnwlsn]’s conversion of an IBM Selectric typewriter into a serial terminal for Linux, it’s that we’ve been hanging around the wrong garbage cans. Because that’s where he found the donor machine for this project, and it wasn’t even the first one he’s come across in the trash. The best we’ve ever done is a nasty old microwave.

For being a dumpster find, the Selectric II was actually in pretty decent shape. The first couple of minutes of the video after the break show not only the minimal repairs needed to get the typewriter back on its feet, but also a whirlwind tour of the remarkably complex mechanisms that turn keypresses into characters on the page. As it turns out, knowing how the mechanical linkages work is the secret behind converting the Selectric into a teletype, entirely within the original enclosure and with as few modifications to the existing mechanism as possible.

Keypresses are mimicked with a mere thirteen solenoids — six for the “latch interposers” that interface with the famous whiffletree mechanism that converts binary input to a specific character on the typeball, and six more that control thinks like the cycle bail and control keys. The thirteenth solenoid controls an added bell, because every good teletype needs a bell. For sensing the keypresses — this is to be a duplex terminal, after all — [alnwlsn] pulled a page from the Soviet Cold War fieldcraft manual and used opto-interrupters to monitor the positions of the latch interposers as keys are pressed, plus more for the control keys.

The electronics are pretty straightforward — a bunch of MOSFETs to drive the solenoids, plus an AVR microcontroller. The terminal speaks RS-232, as one would expect, and within the limitations of keyboard and character set differences over the 50-odd years since the Selectric was introduced, it works fantastic as a Linux terminal. The back half of the video is loaded with demos, some of which aptly demonstrate why a lot of Unix commands look the way they do, but also some neat hybrid stuff, like a ChatGPT client.

Hats off to [alnwlsn] for tackling a difficult project while maintaining the integrity of the original hardware.

Continue reading “Selectric Typewriter Goes From Trash Can To Linux Terminal”

A Thoroughly Modern Serial Terminal

March 1, 2023 by 16 Comments

The humble desktop serial terminal may have long disappeared from the world of corporate IT, but there are still plenty of moments when professionals and enthusiasts alike need to hook up to a serial port. Many of us use a serial port on our laptops or other mobile devices, but [Neil Crawforth] has gone one better than that with the VT2040. It’s an old-style serial terminal in a super-handy portable format, and as one might guess from the name, it has an RP2040 microcontroller at its heart.

Attached to the chip is a rather nice keyboard, and an ILI9488 480×320 LCD display. The software is modular, providing a handy set of re-usable libraries for the different functions including a PIO-based serial port. His main application seems to be talking to an ESP8266, but we’re guessing with a MAX232 or other level shifter chip it could drive a more traditional port. Everything can be found in the project’s GitHub repository, allowing anyone to join the fun.

As long-time readers will know, we’ve been partial to a few serial terminals in the past. Particularly beloved is this extremely retro model with vintage dot matrix LEDs.

A picture showing acupuncture needles wedged into the inside of the payment terminal

Aaron Christophel Brings DOOM To Payment Terminal

March 1, 2023 by 9 Comments

Payment terminals might feel intimidating — they’re generally manufactured with security in mind, with all manner of anti-tamper protections in place to prevent you from poking around in the hardware too much. But [Aaron Christophel] thinks that level of security isn’t aren’t always in practice however, and on his journey towards repurposing devices of all kinds, has stumbled upon just the terminal that will give up its secrets easily. The device in question is Sumup Solo terminal, a small handheld with a battery, LTE connection and a payment card slot – helping you accept card payments even if you’re on the go.

Now, this terminal has security features like the anti-tamper shield over the crucial parts of the device, leading to payment processing-related keys being erased when lifted. However, acupuncture needles, a tool firmly in [Aaron]’s arsenal, helped him reach two UART testpoints that were meant to be located under that shield, and they turned out to be all that a hacker needed to access the Linux system powering this terminal. Not just that, but the UART drops you right into the root shell, which [Aaron] dutifully explored — and after some cross–compilation and Linux tinkering, he got the terminal to, naturally, run Doom.

The video shows you even more, including the responsible disclosure process that he went through with Sumup, resulting in some patches and, we hope, even hardware improvements down the line. Now, the payment processing keys aren’t accessible from the Linux environment — however, [Aaron] notes that this doesn’t exclude attacks like changing the amount of money displayed while the customer is using such a terminal to pay.

If you’d like to take a closer look at some of the hardware tricks used in these secure devices, we did a teardown on one back in 2019 that should prove interesting.

Continue reading “Aaron Christophel Brings DOOM To Payment Terminal”

side by side, showing hardware experiments with capacitor gating through FETs, an initial revision of the modchip board with some fixes, and a newer, final, clean revision.

A Modchip To Root Starlink User Terminals Through Voltage Glitching

November 28, 2022 by 37 Comments

A modchip is a small PCB that mounts directly on a larger board, tapping into points on that board to make it do something it wasn’t meant to do. We’ve typically seen modchips used with gaming consoles of yore, bypassing DRM protections in a way that a software hacks couldn’t quite do. As software complexity and therefore attack surface increased on newer consoles, software hacks have taken the stage. However, on more integrated pieces of hardware, we’ll still want to return to the old methods – and that’s what this modchip-based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below. Continue reading “A Modchip To Root Starlink User Terminals Through Voltage Glitching”