Belgian security researcher [Lennert Wouters] has gotten his own code running on the Starlink “Dishy McFlatface” satellite terminals, and you can too! The hack in question is a “modchip” with an RP2040 and a MOSFET that crowbars the power rails, browning out the main CPU exactly when it’s verifying the firmware’s validity and bypassing that protection entirely. [Lennert] had previously figured out how to dump the Starlink firmware straight from the eMMC, and with the ability to upload it back, the circle of pwnership is closed. This was a talk at DEFCON, and you can check out the slides here. (PDF)
The mod chip itself was a sweet piece of work, being tailored to fit into the Starlink’s motherboard just so, and taking good advantage of the RP2040’s PIOs, which are probably the microcontroller’s superpower.
[Lennert] says he submitted his glitch attack to Starlink and they took some precautions to make the glitching harder. In particular, [Lennert] was triggering his timing off of the USART port coming up on the Starlink unit, so Starlink just shut that down. But it’s not like he couldn’t trigger on some other timing-relevant digital signal, so he chose the eMMC’s D0 data line: they’re not going to be able to boot up without it, so this hack is probably final. No shade against Starlink here. It’s almost impossible to shield a device against an attacker who has it on their bench, and [Lennert] concludes that he found no low-hanging fruit and was impressed that he had to work so hard to get root.
What can you do with this? Not much, yet. But in principle, it could be used to explore the security of the rest of the Starlink network. As reported in Wired, Starlink says that they’ve got a defence-in-depth system and that just getting into the network doesn’t really get you very far. We’ll see!
Thanks [jef] for the tip!