A Belgian research group working at Ku Leuven published a teardown on the Starlink user terminal, nicknamed Dishy McFlatFace, and accessed the root terminal.
While the blog by the researchers at KU Leuven’s Cosic doesn’t discuss any specific vulnerabilities, it does document techniques that can be used to study Starlink’s user terminal. The post also notes that there have been certain changes to the hardware compared to previous teardowns of the device.
The terminal does come with a UART port for USB debugging, but access is restricted to those with development credentials. Another point to note is that logging in to the bootloader is disabled on consumer terminals, making this approach virtually impossible.
Gaining access to Starlink’s terminal
Dishy McFlatFace might have a cute sounding name, but it’s no joke to infiltrate. While monitoring the boot process through the UART port, the team found that the u-Boot bootloader active on the device loads a kernel, ramdisk and a Flattened Device Tree from a Flattened uImage Tree, all of which is stored on an eMMC.
The booting process also revealed that the integrity and authenticity of the kernel, ramdisk and FDT are checked early on in the boot process. Finally, when the boot process is complete, the terminal asks for login credentials, and that’s where the team hit a dead end.
They report trying to guess the credentials but failed. However, monitoring the boot process did reveal the kernel command line arguments, starting addresses and the lengths of a few partitions. Additionally, it also revealed that the SoC has four CPU cores.
Reading the eMMC
According to the researchers, there are 10 test points on the 55cm PCB that contains the majority of the hardware. Starlink has left 10 test points on the eMMC, out of which the researchers only needed the clock (CLK), command (CMD) and data 0 (D0) points.
To identify the aforementioned signals from the eMMC, the team soldered a short wire to each test point, creating a logic analyser capture during the terminal’s boot process. Once the points were identified, they dumped data from the eMMC using a regular card reader attached to the eMMC test points.
The final hurdle was to read the dumped firmware’s contents which aren’t exactly easy as Starlink uses a custom FIT format. However, since the company deployed a modified version of U-Boot, they were forces to make these changes public to remain GPL compliant.
The researchers haven’t exactly posted all their findings yet, and understandably so, considering SpaceX’s lawyers would have an eye on them. However, they did disclose that they could gain access to a root shell but didn’t quite disclose how.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.