Diving Into Starlink’s User Terminal Firmware

August 31, 2023 by Maya Posch 6 Comments

The average Starlink user probably doesn’t spend a lot of time thinking about their hardware after getting the dish aligned and wiring run. To security researchers, however, it’s another fascinating device to tinker with as they reverse-engineer the firmware and try to both find out what makes it tick, as well as how to break it. This is essentially the subject of [Carlo Ramponi]’s article over at Quarkslab as he digs into the firmware architecture and potential weaknesses in its internal communication.

The user terminal hardware itself is a quite standard AArch64 ARM-based SoC, along with the proprietary communication interface, all of which is controlled by the Linux-based firmware. Dumping the firmware itself was made easy thanks to existing work by researchers at the KU Leuven, involving dumping the contents of the onboard eMMC storage. After this the firmware architecture could be analyzed, which turned out to consist out of mostly C++-based binaries, but with a single big binary for the user front-end written in Go.

Communication between these processes is handled through a custom inter-process protocol called ‘Slate Sharing’, all of which is coordinated via the core User Terminal Control process. It are these Slate IPC messages which form the most likely attack surface for a fuzzing attack, with the SoftwareUpdateRequest command being an interesting target as it would seem to not require authentication since it doesn’t address a specific user. This work is part of [Carlo]’s master’s thesis, and should form the basis of further research on the Starlink User Terminal firmware.

China Plans Its Own Megaconstellation To Challenge Starlink

June 22, 2023 by Lewin Day 39 Comments

Satellite internet used to be a woeful thing. Early networks relied on satellites in geostationary orbits, with high latency and minimal bandwidth keeping user demand low. That was until Starlink came along, and provided high-speed, low-latency internet access using a fleet of thousands of satellites in Low Earth orbit.

Starlink has already ruffled feathers due to concerns around light pollution and space junk in particular. Now, it appears that China may be readying its own competing constellation to avoid being crowded out of low orbits by the increasingly-popular service.

Continue reading “China Plans Its Own Megaconstellation To Challenge Starlink” →

Converting On-Grid Electronics To Off-Grid

May 11, 2023 by Dave Rowntree 54 Comments

Husband and wife team [Jason & Kara] hail from Canada, and in 2018, after building their own camper, sold up their remaining earthly goods and headed south. If you’re not aware of them, they documented their journey on their YouTube channel, showing many interesting skills and hacks along the way. The video we’re highlighting today shows a myriad of ways to power all the DC-consuming gadgets this they lug along with them.

LiFePO4 batteries are far superior to lead acid for mobile solar installations.

Their heavily modded F-550 truck houses 12kWh of LiFePO4 batteries and a 1.5kW retractable solar array, with a hefty inverter generating the needed AC power. They weren’t too happy with the conversion losses from piles of wall warts that all drained a little power, knowing that the inverter that fed them was also not 100% efficient. For example, a typical laptop power brick gets really hot in a short time, and that heat is waste. They decided to run as much as possible direct from the battery bank, through different DC-DC converter modules in an attempt to streamline the losses a little. Obviously, these are also not 100%

efficient, but keeping the load off the inverter (and thus reducing dependency upon it, in the event of another failure) should help stem the losses a little. After all as [Jason] says, Watts saved are Watts earned, and all the little lossy loads add up to a considerable parasitic drain.

One illustration of this is their Starlink satellite internet system consumes about 60W when running from the inverter, but only 28W when running direct from DC. Over the course of 24 hours, that’s not far off 1kWh of savings, and if the sun isn’t shining, then that 12kWh battery isn’t going to stretch as far.

There are far too many hacks, tips, and illustrations of neat space and power-saving solutions everywhere, to write here. Those interested in self-build campers or hacking a commercial unit may pick up a trick or two.

Continue reading “Converting On-Grid Electronics To Off-Grid” →

Hackaday Links: March 26, 2023

March 26, 2023 by Dan Maloney 3 Comments

Sad news in the tech world this week as Intel co-founder Gordon Moore passed away in Hawaii at the age of 94. Along with Robert Noyce in 1968, Moore founded NM Electronics, the company that would later go on to become Intel Corporation and give the world the first commercially available microprocessor, the 4004, in 1971. The four-bit microprocessor would be joined a few years later by the 8008 and 8080, chips that paved the way for the PC revolution to come. Surprisingly, Moore was not an electrical engineer but a chemist, earning his Ph.D. from the California Institute of Technology in 1954 before his postdoctoral research at the prestigious Applied Physics Lab at Johns Hopkins. He briefly worked alongside Nobel laureate and transistor co-inventor William Shockley before jumping ship with Noyce and others to found Fairchild Semiconductor, which is where he made the observation that integrated circuit component density doubled roughly every two years. This calculation would go on to be known as “Moore’s Law.”

Continue reading “Hackaday Links: March 26, 2023” →

Citizen-Driven Network Monitors Public Service Radio For Natural Disaster Alerts

December 17, 2022 by Dan Maloney 12 Comments

Time is of the essence in almost every emergency situation, especially when it comes to wildfires. A wind-driven fire can roar across a fuel-rich landscape like a freight train, except one that can turn on a dime or jump a mile-wide gap in a matter of seconds. Usually, the only realistic defense against fires like these is to get the hell out of their way as soon as possible and make room for the professionals to do what they can to stop the flames.

Unfortunately, most people living in areas under threat of wildfires and other natural disasters are often operating in an information vacuum. Official channels take time to distribute evacuation orders, and when seconds count, such delays can cost lives. That’s the hole that Watch Duty seeks to fill.

Watch Duty is a non-profit wildfire alerting, mapping, and tracking service that provides near-real-time information to those living in wildfire country. Their intelligence is generated by a network of experienced fire reporters, who live in wildfire-prone areas and monitor public service radio transmissions and other sources to get a picture of what’s going on in their specific area. When the data indicate an incident is occurring, maps are updated and alerts go out via a smartphone app. Reporters have to abide by a strict code of conduct designed to ensure the privacy of citizens and the safety of first responders.

While Watch Duty’s network covers a substantial area of California — the only state covered so far — there were still a significant number of dead zones, mostly in the more remote areas of the Sierra Nevada Mountains and in the northern coastal regions. To fill these gaps, Watch Duty recently launched Watch Duty Echo, which consists of a network of remote listening posts.

Each station is packed with RTL-SDR receivers that cover a huge swath of spectrum used by the local fire, law enforcement, EMS agencies — any organization likely to be called to respond to an incident. In addition, each station has an SDR dedicated to monitoring ADS-B transponders and air band frequencies, to get a heads-up on incidents requiring aerial support. The listening posts have wideband discone antennas and a dedicated 1090-MHz ADS-B antenna, with either a cellular modem or a Starlink terminal to tie into the Watch Duty network.

Hats off to the folks at Watch Duty for putting considerable effort into a system like this and operating it for the public benefit. Those who choose to live close to nature do so at their own risk, of course, but a citizen-driven network that leverages technology can make that risk just a little more manageable.

When [Elon] Says No, Just Reverse Engineer The Starlink Signal

October 22, 2022 by Dan Maloney 37 Comments

We all know that it’s sometimes better to beg forgiveness than ask permission to do something, and we’ll venture a guess that more than a few of us have taken that advice to heart on occasion. But [Todd Humphreys] got the order of operations a bit mixed up with his attempt to leverage the Starlink network as a backup to the Global Positioning System, and ended up doing some interesting reverse engineering work as a result.

The story goes that [Todd] and his team at the University of Texas Austin’s Radionavigation Lab, on behalf of their sponsors in the US Army, approached Starlink about cooperating on a project to make their low-Earth orbit constellation provide position, navigation, and timing capabilities. Although initially interested in the project, Starlink honcho [Elon Musk] put the brakes on things, leaving [Todd]’s team high and dry. Not to be dissuaded, they bought a Starlink user terminal, built what amounts to a small radiotelescope — although we’ve seen something similar done with just an RTL-SDR — and proceeded to reverse-engineer the structure of Starlink’s Ku-band downlink signal. The paper (PDF link) on their findings is densely packed with details, such as the fact that Starlink uses an orthogonal frequency-division multiplexing (OFDM) scheme.

It’s important to note that their goal was not to break encryption or sniff in on user data; rather, they wanted access to the synchronization and timing signals embedded in the Starlink data structures. By using this data along with the publically available ephemera for each satellite, it’s possible to quickly calculate the exact distance to multiple satellites and determine the receiver’s location to within 30 meters. It’s not as good as some GPS-Starlink hacks we’ve seen, but it’s still pretty good in a pinch. Besides, the reverse engineering work here is well worth a read.

Thanks to [Adrian] for the tip!

Snooping On Starlink With An RTL-SDR

September 23, 2022 by Dan Maloney 21 Comments

With an ever-growing constellation of Starlink satellites whizzing around over our heads, you might be getting the urge to start experimenting with the high-speed internet service. But at $100 or more a month plus hardware, the barrier to entry is just a little daunting for a lot of us. No worries, though — if all you’re interested in is tracking [Elon]’s birds, it’s actually a pretty simple job.

Now, we’re not claiming that you’ll be able to connect to Starlink and get internet service with this setup, of course, and neither is the delightfully named [saveitforparts]. Instead, his setup just receives the beacon signals from Starlink satellites, which is pretty interesting all by itself. The hardware consists of his “Picorder” mobile device, which sports a Raspberry Pi, a small LCD screen, and a host of sensors, including an RTL-SDR dongle. To pick up the satellite beacons, he used a dirt-cheap universal Ku-band LNB, or low-noise block downconverter. They’re normally found at the focal point of a satellite TV dish, but in this case no dish is needed — just power it up with a power injector and point it to the sky. The signals show up on the Picorder’s display in waterfall mode; curiously, the waterfall traces look quite similar to the patterns the satellites make in the night sky, much to the consternation of astronomers.

Of course, you don’t have to have a Picorder to snoop in on Starlink — any laptop and SDR should work, despite [saveitforparts]’ trouble in doing so. You shouldn’t have much trouble replicating the results by following the video below, which also has a few tips on powering an LNB for portable operations.

Continue reading “Snooping On Starlink With An RTL-SDR” →