[ih] Belgian boffins dump Starlink dish terminal's firmware, gain root access and a few ideas

[the keyboard of geoff goodfellow]

*Extra-terrestrial service probed*
EXCERPT:

Belgian boffins have *published a teardown of the Starlink user terminal*
<https://www.esat.kuleuven.be/cosic/blog/dumping-and-extracting-the-spacex-starlink-user-terminal-firmware/>
–
also known as Dishy McFlatface – in which they managed to dump the device's
firmware that was housed on a eMMC card upon the PCB.

For the the academics at the Katholieke Universiteit Leuven (KU Leuven),
actually getting their hands on the firmware for later analysis proved to
be a somewhat fraught process.

Although the hardware came with a UART (Universal Asynchronous Receiver
Transmitter) port for USB debugging, SpaceX opted — perhaps for obvious
reasons — to restrict access to those entrusted with development
credentials. Still, it revealed some clues, particularly when it came to
the boot process, with integrity and authenticity checks used to ensure the
kernel had not been tampered with.

The KU Leuven researchers then turned their attention to the eMMC card,
which contained the system image. SpaceX left 10 test points on the circuit
board, which corresponded to the equivalent solder points on the eMMC chip.
The academics were then able to create an ad-hoc logic capture device,
using a memory card reader and a few carefully soldered wires and
resistors, allowing them to dump the contents of the storage in-circuit.

The next hurdle came when the researchers attempted to read the firmware’s
contents, as SpaceX uses a custom FIT (flattened image tree) format.
Fortunately, these changes were publicly accessible, as the company
deployed a modified version of U-Boot, and was forced to publish its
changes in order to remain GPL compliant...

[...]
https://www.theregister.com/2021/07/08/belgian_boffins_dump_starlink_dish/

-- 
Geoff.Goodfellow at iconia.com
living as The Truth is True