The Belgian boffins dump the firmware of the Starlink flat terminal, get root access and some ideas • The Register
Belgian boffins have posted a teardown of the Starlink user terminal – also known as Dishy McFlatface – in which they managed to dump the firmware of the device which was housed on an eMMC card on the PCB.
For academics at the Katholieke Universiteit Leuven (KU Leuven), getting their hands on the firmware for further analysis turned out to be a somewhat arduous process.
Although the hardware ships with a Universal Asynchronous Receiver Transmitter (UART) port for USB debugging, SpaceX has chosen – perhaps for obvious reasons – to restrict access to those given the credentials of development. Still, it did reveal a few clues, particularly regarding the boot process, with integrity and authenticity checks used to ensure the kernel had not been tampered with.
Researchers at KU Leuven then turned their attention to the eMMC card, which contained the system image. SpaceX left 10 test points on the circuit board, which matches the equivalent solder points on the eMMC chip. The academics were then able to create an ad hoc logic capture device, using a memory card reader and a few carefully soldered wires and resistors, allowing them to dump the contents of the in-circuit storage.
The next hurdle came when researchers attempted to read the firmware content, as SpaceX uses a custom FIT (flattened image tree) format. Fortunately, these changes were publicly available, as the company rolled out a modified version of U-Boot and was forced to release its changes in order to remain GPL compliant.
So far, the results have not yet been fully published, although the researchers claim they were able to gain access to a root shell, without adequately explaining how they accomplished it. It’s understandable, however, that they don’t release the entire dump with an eye on SpaceX’s lawyers.
The researchers also made some observations about the quad-core ARM processor used to power the terminal and its configuration, with each of the cores being responsible for a specific task. They also noticed that on all consumer devices, all connections are disabled, meaning that the initial attempt to access the device through the UART port was a dead end.
This isn’t the first Dishy McFlatface teardown we’ve seen, although all previous attempts at warranty destruction focused on physical hardware, rather than the software it is running. With a ticket price of $ 499, it’s best to leave those efforts to those with deep pockets and a curiosity that exceeds their aversion to potentially ruining an expensive kit.