Skip to content

Researchers tear down Starlink and gain access to the root terminal

  • by
  • 3 min read

A Belgian research group working at Ku Leuven published a teardown on the Starlink user terminal, nicknamed Dishy McFlatFace, and accessed the root terminal. 

While the blog by the researchers at KU Leuven’s Cosic doesn’t discuss any specific vulnerabilities, it does document techniques that can be used to study Starlink’s user terminal. The post also notes that there have been certain changes to the hardware compared to previous teardowns of the device. 

The terminal does come with a UART port for USB debugging, but access is restricted to those with development credentials. Another point to note is that logging in to the bootloader is disabled on consumer terminals, making this approach virtually impossible. 


Gaining access to Starlink’s terminal

Dishy McFlatFace might have a cute sounding name, but it’s no joke to infiltrate. While monitoring the boot process through the UART port, the team found that the u-Boot bootloader active on the device loads a kernel, ramdisk and a Flattened Device Tree from a Flattened uImage Tree, all of which is stored on an eMMC.

The onboard SoC. | Source: Research Group Cosic, KU Leuven

The booting process also revealed that the integrity and authenticity of the kernel, ramdisk and FDT are checked early on in the boot process. Finally, when the boot process is complete, the terminal asks for login credentials, and that’s where the team hit a dead end.

They report trying to guess the credentials but failed. However, monitoring the boot process did reveal the kernel command line arguments, starting addresses and the lengths of a few partitions. Additionally, it also revealed that the SoC has four CPU cores.


Reading the eMMC

According to the researchers, there are 10 test points on the 55cm PCB that contains the majority of the hardware. Starlink has left 10 test points on the eMMC, out of which the researchers only needed the clock (CLK), command (CMD) and data 0 (D0) points. 

An SD card reader hooked up to the eMMC | Source: Research Group Cosic, KI Leuven

To identify the aforementioned signals from the eMMC, the team soldered a short wire to each test point, creating a logic analyser capture during the terminal’s boot process. Once the points were identified, they dumped data from the eMMC using a regular card reader attached to the eMMC test points.

The final hurdle was to read the dumped firmware’s contents which aren’t exactly easy as Starlink uses a custom FIT format. However, since the company deployed a modified version of U-Boot, they were forces to make these changes public to remain GPL compliant.

The researchers haven’t exactly posted all their findings yet, and understandably so, considering SpaceX’s lawyers would have an eye on them. However, they did disclose that they could gain access to a root shell but didn’t quite disclose how. 

In the News: Geekbench delists OnePlus 9 and 9 Pro following benchmark manipulations

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>