# **Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal**



COSIC

Lennert Wouters @LennertWo

MADE ON EARTH BY HUMANS



## **KU LEUVEN**

## **Starlink 101**











### Internet









## Teardowns







# Hardware revisions

### **Circular UT**

- 59 cm (23,23") diameter
- Residential
- rev1\_pre\_production
- rev1 production
- rev1 proto1/2/3
- rev2\_proto0/1/3
- rev2\_proto2 (SoC cut 3)
- rev2\_proto4 (SoC cut 4)

### **Square UT**

- 50 x 30 cm (19" x 12")
- Residential and RV
- rev3\_proto0
- rev3 proto1
- rev3 proto2

### **High Performance UT**

- hp1\_proto0
- hp1 proto1

This talk (but attack should apply to all UT hardware)



### • 57 x 51 cm (22" x 20")

### **Business and Maritime**

## Transceiver • External phased array transceiver\_rev2p0/5



## Accessible connectors on V2\*





### ethernet + power

### motors

JST BM10B-ZPDSS-TF(LF)(SN)

JST BM05B-ZESS-TBT(LF)(SN)

\*V1 hardware had an extra connector, V3 does not have easily accessible connectors





### UART



# UART – U-Boot

U-Boot 2020.04-gddb7afb (Apr 16 2021 - 21:10:45 +0000) + (Newer firmware no longer uses this version) Model: Catson DRAM: 1004 MiB MMC: Fast boot:eMMC: 8xbit - div2 stm-sdhci0: 0 In: nulldev Out: serial serial Err: CPU ID: 0x00020100 0x87082425 0xb9ca4b91 Detected Board rev: #rev2\_proto2 sdhci\_set\_clock: Timeout to wait cmd & data inhibit FTP1: 3 FTP2: 3 BOOT SLOT B Net Initialization Skipped Net: No ethernet found.

U-Boot does not accept serial input (on non-development/fused hardware)







## **UART – Login Prompt**

# Development login enabled: no

# SpaceX User Terminal. user1 login:





## **PCB** overview



**STM STA8089** 





## Clock generation





# **RF Components**



- (A) Digital BeamFormer (DBF)
  - STM GLLBSUABBBA
  - Codename: SHIRAZ
- (B) Front-End Module (FEM)
  - Codename: PULSAR(AD)

- V2 hardware and up:
  - 1 DBF  $\rightarrow$  16 FEMs



nFormer (DBF) BBBA **RAZ** lodule (FEM) **\_SAR(AD)** 

d up: Ms



## Siliconpr0n





id=mcmaster:spacex:gea-aa12-109d-tg02-pulsarad

siliconpr0n.org/archive/doku.php?id=mcmaster:spacex:gllbsuabbba-shiraz

Thanks to John McMaster! @johndmcmaster





- (A) System-on-Chip Custom quad-core ARM Cortex-A53 • **ST Microelectronics** •
- - GLLCCOCA6BF (cut 3?)
  - GLLCCODA6BF (cut 4?) •
  - Codename: CATSON •
- (B) Secure Element
  - STM STSAFE-A110
- (C) 4GB eMMC
- (D) 2 x 4Gbit DDR3





## SoC

- through substrate image
  - GLLCCOCA6BF (cut 3?)
  - Thorlabs NIR camera
  - Mitutoyo NIR objective 50x
- Can help narrow down interesting locations for some physical attacks
- Full resolution version will be available on siliconpr0n.org!





## Identifying eMMC test points







| +8 m: | +9 m | +9 ms |  |  |  |  | 4 s : 40 ms |  |  |  |
|-------|------|-------|--|--|--|--|-------------|--|--|--|
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |
|       |      |       |  |  |  |  |             |  |  |  |



# **Reading eMMC in-circuit**









# **Extracting the eMMC dump**

- Split the dump into:
  - TF-A Bootstages: Firmware Image Packages lacksquare
    - unpack with TF-A fiptool
  - Flattened ulmage Tree (FIT) lacksquare
    - unpack with U-Boot dumpimage
  - SpaceX Runtime (dm-verity, error correcting codes)
  - SpaceX Calibration (dm-verity)
  - SpaceX EDR (LUKS)  $\bullet$
  - SpaceX dish config (LUKS)  $\bullet$
- More details:
  - esat.kuleuven.be/cosic/blog/dumping-and-extracting-the-spacex-starlink-user-terminal-firmware ۲

CATS #define CATS SXID OFFSET 0xFB0000 #define CATS SX B OFFSET 0x6800000 #define CATS EDR OFFSET 0x8000000

### U-Boot GPL sources: spacex\_catson\_boot.h

```
#define CATS BOOTFIP 0 OFFSET 0x00000000
#define CATS BOOTFIP 1 OFFSET 0x100000
#define CATS BOOTFIP 2 OFFSET 0x200000
define CATS BOOTFIP 3 OFFSET 0x300000
#define CATS BOOTTERM1 OFFSET 0x400000
#define CATS BOOTMASK1 OFFSET 0x480000
       CATS BOOTTERM2 OFFSET 0x500000
       CATS BOOTMASK2 OFFSET 0x580000
#define CATS BOOT A 0 OFFSET 0x600000
#define CATS BOOT B 0 OFFSET 0x700000
#define CATS BOOT A 1 OFFSET 0x800000
#define CATS BOOT B 1 OFFSET 0x900000
define CATS UBOOT TERM1 OFFSET 0xA00000
#define CATS UBOOT TERM2 OFFSET 0xB00000
#define CATS UNUSED OFFSET 0xC00000
            MTDOOPS OFFSET 0xF00000
             VERSION INFO A OFFSET 0xF30000
#define CATS VERSION INFO B OFFSET 0xF50000
#define CATS SECRETS A OFFSET 0xF70000
#define CATS SECRETS B OFFSET 0xF90000
#define CATS KERNEL A OFFSET 0x1000000
#define CATS CONFIG A OFFSET 0x2800000
#define CATS KERNEL B OFFSET 0x3000000
#define CATS CONFIG B OFFSET 0x4800000
#define CATS SX A OFFSET 0x5000000
#define CATS DISH CONFIG OFFSET 0x113D1C00
```

**KU LEUVEN** 



## **Temperature and RF channels**

# This file describes the limits for thermal control. # All temperatures are in degrees Celsius. # All control cycle counts are for 50 Hz. # ----- Power-cut ------# When any sensor exceeds these trip thresholds for its corresponding 8 # persistence, the power to all DBFs and FEMSs will be cut. The User Terminal 9 # must reboot to recover. These temperatures are slightly above the maximum 10 # junction temperature of the corresponding components. MAC throttle and forced 11 # idle is intended to more-gracefully take care of all overtemp situations. 12 # This FDIR is a last-ditch response to reduce in case idling is insufficient 13 # or we have lost control of the beamformers. 14 15 center power cut.t trip 90.0 16 cpu0 power cut.t trip 128.0 17 pa power cut.t trip 118.0 18 dbf power cut.t trip 118.0 19 20 21 # The number of cycles that the trip thresholds must be exceeded for before 22 # the power-cut FDIR activates. 23 24 center power cut persistence limit 2000 # 40 seconds 25 cpu0 power cut persistence limit 2000 # 40 seconds 26 pa power cut persistence limit 2000 # 40 seconds 27 dbf power cut persistence limit 2000 # 40 seconds 28 29 # The number of cycles from when power-cut is tripped to when the UT reboots. 30 # Gives time to allow the UT to cool down. 31 32 power cut reboot delay 30000 # 10 minutes 33 34 35 # ----- Forced-idle -----36 37 # When any sensor exceeds these trip thresholds for its corresponding 38 # persistence, all DBFs and FEMSs will be commanded to Idle mode. 39 # Once all sensors have fallen below their clear thresholds. normal

"channel id": 13, "direction": "uplink" "end": 14.1875, "start": 14.125 }, "channel id": 14, "direction": "uplink" "end": 14.25, "start": 14.1875 "laser channel definitions": [ "color": "LASER COLOR RED", "frequency ghz": 192700, "itu channel id": 27 }, "color": "LASER COLOR BLUE", "frequency ghz": 193500, "itu channel id": 35



## **Development geofences**







LUDI TO

Monsterhead,

107



Chief Seattle

IS AN

0

Connections Museum Exhibits on the history of the telephone



# **Obtaining root**







+6 ms n o \r



- Flip-chip packaging exposes die backside
  - Laser Fault Injection, Body Bias Injection, Electromagnetic Fault Injection
- PCB is too big for our automatic XYZ positioning equipment Χ
  - Likely cumbersome to do on a roof...
- x No development kits

- Differential clock input
  - (But PLL?)
- **Reset line**
- Voltage Fault Injection





# **Crowbar VFI**

- NewAE ChipWhisperer-Lite (~ \$250)
  - Glitch port is connected to the SoC core voltage
  - Momentarily shorts core voltage to GND
- Core voltage:~1V, generated by TI TPS56C230
- All decoupling capacitors untouched at this point!
- Oscilloscope triggers on serial data
  - Trigger output is input to the ChipWhisperer-Lite
- Glitch parameters controlled from Python
  - Offset from trigger point
  - Glitch width





## **Example output**

| <pre>[ /.38//02] 002: Mem abort info:<br/>sh: 0: unknown operand<br/>[ 7.387704] 002: ESR = 0x96000006<br/>yes</pre> |     |
|----------------------------------------------------------------------------------------------------------------------|-----|
| [ 7.387704] 002: ESR = 0x96000006<br>yes                                                                             |     |
| yes                                                                                                                  |     |
|                                                                                                                      |     |
|                                                                                                                      |     |
| ر 7.387707] 002: EC = 0x25: DABT (current EL), IL = 32 bits                                                          |     |
| [7.387711] 002: SET = 0, FnV = 0                                                                                     |     |
| [7.387714] 002: EA = 0, S1PTW = 0                                                                                    |     |
| [ 7.387716] 002: Data abort info:                                                                                    |     |
| [ 7.387718] 002: ISV = 0, ISS = 0x00000006                                                                           |     |
| [7.387721] 002: CM = 0, WnR = 0                                                                                      |     |
| [ 7.387723] 002: user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a51fd000                                           |     |
| [ 7.387730] 002: [00000000000000820] pgd=00000000a50d1003, pud=00000000a50d1003, pmd=00000000000000000000000000      | 000 |
| [ 7.387739] 002: Internal error: 0ops: 96000006 [#1] PREEMPT_RT SMP                                                  |     |
| [ 7.387748] 002: Modules linked in:                                                                                  |     |
| [ 7.387753] 002: CPU: 2 PID: 275 Comm: syslogd Not tainted 5.4.34-rt21-gfd24730 #1                                   |     |
| [ 7.387760] 002: Hardware name: spacex_satellite_user_terminal (DT)                                                  |     |
| [ 7.387766] 002: pstate: 00000005 (nzcv daif -PAN -UAO)                                                              |     |
| [ 7.387770] 002: pc : do_undefinstr+0x2c/0x1d8                                                                       |     |
| [ 7.387787] 002: lr : el0_undef+0xc/0x10                                                                             |     |
| [ 7.387793] 002: sp : ffffffc0145b3e70                                                                               |     |
| [ 7.387797] 002: x29: ffffffc0145b3e70 x28: ffffff8025009a00                                                         |     |
| [ 7.387803] 002: x27: 0000000000000000 x26: 000000000000000                                                          |     |
| [ 7.387808] 002: x25: 000000000000000 x24: 0000000000000000                                                          |     |
| [ 7.387814] 002: x23: 0000000080000000 x22: 000000000403fb0                                                          |     |
| [ 7.387818] 002: x21: 00000000ffffffff x20: 0000000000000000                                                         |     |
| [ 7.387823] 002: x19: 0000000000000018 x18: 0000000000000000                                                         |     |
| [ 7.387828] 002: x17: 0000000000000000 x16: 0000000000000000                                                         |     |
| [ 7.387832] 002: x15: 000000000000000 x14: 000000000000000                                                           |     |



tual address 0000000000000820







### ✓ The Proof-of-Concept works

- ✓ Was reproduced by the SpaceX PSIRT
- ✓ Easy to produce (undesirable) faults
  - ✓ A fully booted SoC is already being pushed to its limits
- x Slow: 1 attempt every 12 seconds (one per boot)
  - x Low success rate: many hours for one good attempt
- x Unreliable: successful glitch often also results in other errors







# STM/SpaceX ARM TFA-A

### SoC Root of Trust



- 1. BL1 loads BL2 certificate from eMMC
- 2. BL1 verifies the certificate's signature
- 3. BL1 loads the BL2 firmware from eMMC
- 4. BL1 verifies that SHA512(BL2) matches the hash contained in the certificate



### eMMC

BL2 (Trusted boot firmware)
BL31 (Secure world runtime firmware)
BL33 (U-Boot)
Flattened ulmage Tree (FIT)
SpaceX Runtime (dm-verity)
Calibration/EDR/... (dm-verity / LUKS)





# **BL1 Glitch setup**







# Normal boot



Signature verification



## **Glitched boot**



Signature verification skipped?!



27

3 x 10e6 samples



- Mapped at 0x3000000 and readable from BL2!
  - BSEC eFuses mapped at 0x22400000 (shadow registers)
- Emulated the ROM bootloader using Unicorn Engine
  - Fuzzed using AFL++ in Unicorn mode
- Simulated instruction skip faults in Unicorn Engine
  - Single instruction skip faults do not result in the observed behavior!
    - Code has some control flow checks and redundant operations
  - Skipping two consecutive instructions does result in the observed behavior
    - (Actual fault model is likely to be different)





### github.com/unicorn-engine/unicorn



github.com/AFLplusplus/AFLplusplus



# **BL1 glitch detection example**

### **BL1 UART output**

|                                           |                                                                                                                                                                                                                 | - |                                                        |
|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|--------------------------------------------------------|
| INFO:<br>INFO:<br>INFO:<br>INFO:<br>INFO: | BL1: Get the image descriptor<br>BL1: Loading BL2<br>Loading image id=6 at address 0x30209000<br>Skip reserving region [base = 0x30209000, size = 0x90]<br>Image id=6 loaded at address 0x30209000, size = 0x90 |   | Certificate has<br>- Contains inval<br>valid digest of |
| INFO:<br>INFO:<br>INFO:<br>INFO:          | <pre>cert_nv_ctr : 1 plat_nv_ctr : 0 Loading image id=1 at address 0x30209000 Image id=1 loaded at address 0x30209000, size = 0xf178</pre>                                                                      |   | Signature verif<br>Loaded BL2 firi<br>verified hash d  |
| NOTICI                                    | E: BL1: Booting BL2<br>E: plat_error_handler err = -80<br>Authentication error !!!                                                                                                                              |   | Final control floour glitch! 🛞                         |





## s been loaded lid signature but f BL2 firmware

### ification succeeded! rmware and digest

low check detects



# **BL1** glitch detection example







# Enabling decoupling capacitors **KULEUVEN**

- Decoupling capacitors are needed for later boot stages
- Experimented with:
  - N-channel MOSFETS
  - P-channel MOSFETS
  - High/Low side switching
  - Gate voltage
  - MOSFET drivers
  - Capacitor sizes
  - Timing







- Demonstrated a full attack in the lab!
  - But the setup is still too bulky to be used in a practical setting (e.g., on the roof)
- SpaceX offered an easy way out: SSH access through a Yubikey
  - But I was already too far down the rabbit hole ...

```
vehicle=$(whatVehicleAmI)
15
    rev=$(whatRevAmI)
16
    nodetype=$(whatNodeTypeAmI)
17
18
19
    if [ "$vehicle" = "uterm" ] && [ "$rev" != "0" ]; then
        # Create static AuthorizedPrincipalsFile for UTs and Transceivers only.
20
        catson_uuid="$(printf "%08x-%08x-%08x\n" \
21
                            $(cat /sys/bus/platform/devices/*.catson_fuses/devid[012]))"
22
23
24
        # Maintain compatibility with transceiver certificate format.
25
        principal=$vehicle
26
        if [ "$(whatVehicleVariantAmI)" = "starlink transceiver" ]; then
27
            principal="transceiver"
28
29
        echo "spacex:$principal:researcher:$catson uuid" > /etc/ssh/authorized principals
```







## Creating a mobile setup

- Replacing lab equipment with low-cost off-theshelf components
- RPI Pico replaces oscilloscope and ChipWhisperer
- Works
  - But still messy...







# **PCB** design

- Scanner @ 600 DPI
- Draw board outline at real size in Inkscape
  - Load in KiCad and use in the edgecuts layer









### 6 cm 2,36"



## Installed modchip



Core voltage regulator enable pin (for power cycling)

12V for MOSFET drivers and standalone power





# 1V8 for level shifter

36







### **KU LEUVEN**



# **SpaceX strikes back**

- I did a firmware update...
- Previously unused eFuse is now blown and disables UART output
- Modchip was designed to trigger on UART

```
if (L'\xffffffff < BSEC UART EN) {</pre>
 DAT 30204160 UART EN = L'\xde486bc3';
if (DAT_30204160_UART EN == L'\xde486bc3') {
  _GLLCFF_SYSCFG_PIO_A_BASE = _GLLCFF_SYSCFG_PIO_A_BASE & 0xf1
  DataSynchronizationBarrier(3,3);
  _GLLCFF_SYSCFG_PIO_A_BASE_A0 = _GLLCFF_SYSCFG_PIO_A_BASE_A0
  DataSynchronizationBarrier(3,3);
  uVarl = 10000000;
  if (( BOOTMODE REGISTER 09130048 & 1) != 0) {
    uVar1 = 200000000;
  set uart baud(&UART BAUDRATE,uVar1,115200);
 printf(s_INF0:_AUTOSTARTUP_MODE_=_%d_3000b08e,(ulong)(_B00TMODE_REGISTER_09130048 & 1));
```















## Overcome

- Trigger on eMMC D0 instead of UART
- Modchip could be easily adapted
  - Disconnect UT UART TX
  - Connect to eMMC D0
  - Update glitch parameters from Python
- Alternative: new PCB revision







- All interesting communication uses mutually authenticated TLS (STSAFE)
- Added STSAFE support to the tislite-ng TLS implementation
  - Python script to download the latest firmware updates
- Mostly IPv6 2620:134:b000::1:0:0
  - Open ports (nmap): 8001-8012, 9000, 9003, 9005, 9010, 9011

| lo. | Source                         | Destination                 | Protocol | Length Info                                                                                |
|-----|--------------------------------|-----------------------------|----------|--------------------------------------------------------------------------------------------|
|     | 1 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 717 50256 → 8010 Len=669                                                                   |
|     | 2 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 717 50256 → 8010 Len=669                                                                   |
|     | 3 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 873 50256 → 8010 Len=825                                                                   |
|     | 4 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 133 50256 → 8010 Len=85                                                                    |
|     | 5 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 133 50256 → 8010 Len=85<br>140 50256 → 8010 Len=92<br>133 50256 → 8010 Len=95<br>WIRESHARK |
|     | 6 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 133 50256 → 8010 Len=85 VVII \L_VIIIIII                                                    |
|     | 7 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 140 50256 → 8010 Len=92                                                                    |
|     | 8 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | TCP      | 72 42540 → 9005 [ACK] Seq=1 Ack=1 Win=503 Len=0 TSval=692614557 TSecr=24957027             |
|     | 9 2620:134:b000:104:af24:36::  | 2620:134:b000::1:0:0        | UDP      | 626 50256 → 8010 Len=578                                                                   |
|     | 10 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | UDP      | 518 50256 → 8010 Len=470                                                                   |
|     | 11 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | UDP      | 246 50256 → 8010 Len=198                                                                   |
|     | 12 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | ТСР      | 72 [TCP ACKed unseen segment] 9005 → 42540 [ACK] Seq=1 Ack=2 Win=8 Len=0 TSval             |
|     | 13 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TLSv1.2  | 206 Application Data                                                                       |
|     | 14 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TCP      | 1300 9003 → 43276 [ACK] Seq=1 Ack=135 Win=8 Len=1228 TSval=2495721239 TSecr=6926           |
|     | 15 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TCP      | 72 43276 → 9003 [ACK] Seq=135 Ack=1229 Win=503 Len=0 TSval=692618062 TSecr=249             |
|     | 16 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TLSv1.2  | 559 Application Data                                                                       |
|     | 17 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TCP      | 72 43276 → 9003 [ACK] Seq=135 Ack=1716 Win=500 Len=0 TSval=692618063 TSecr=249             |
|     | 18 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | UDP      | 847 50256 → 8010 Len=799                                                                   |
|     | 19 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TCP      | 80 39302 → 8002 [SYN] Seq=0 Win=64480 Len=0 MSS=1240 SACK_PERM=1 TSval=6926184             |
|     | 20 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TCP      | 80 8002 → 39302 [SYN, ACK] Seq=0 Ack=1 Win=65084 Len=0 MSS=1240 SACK_PERM=1 TS             |
|     | 21 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TCP      | 72 39302 → 8002 [ACK] Seq=1 Ack=1 Win=64512 Len=0 TSval=692618634 TSecr=249572             |
|     | 22 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TLSv1.2  | 279 Client Hello                                                                           |
|     | 23 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TCP      | 72 8002 → 39302 [ACK] Seq=1 Ack=208 Win=65536 Len=0 TSval=2495721997 TSecr=692             |
|     | 24 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TLSv1.2  | 1300 Server Hello                                                                          |
|     | 25 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TCP      | 72 39302 → 8002 [ACK] Seq=208 Ack=1229 Win=64384 Len=0 TSval=692618809 TSecr=2             |
|     | 26 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TLSv1.2  | 414 Certificate, Server Key Exchange, Certificate Request, Server Hello Done               |
|     | 27 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TCP      | 72 39302 → 8002 [ACK] Seq=208 Ack=1571 Win=64384 Len=0 TSval=692618809 TSecr=2             |
|     | 28 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | UDP      | 847 50256 → 8010 Len=799                                                                   |
|     | 29 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TLSv1.2  | 788 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, E            |
|     | 30 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | UDP      | 211 50256 → 8010 Len=163                                                                   |
|     | 31 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TCP      | 72 8002 → 39302 [ACK] Seq=1571 Ack=924 Win=65536 Len=0 TSval=2495722373 TSecr=             |
|     | 32 2620:134:b000::1:0:0        | 2620:134:b000:104:af24:36:: | TLSv1.2  | 842 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message                    |
|     | 33 2620:134:b000:104:af24:36:: | 2620:134:b000::1:0:0        | TCP      | 72 39302 → 8002 [ACK] Seg=924 Ack=2341 Win=64384 Len=0 TSval=692619193 TSecr=2             |

Na

| ame 🏾                                              | • | Size    |
|----------------------------------------------------|---|---------|
| 0ad30efd-5511-48bd-86e6-a9a5bd9c4140.uterm.release |   | 34,3 MB |
| 0ff779fe-a697-4464-8fe4-e05d4aa51754.uterm.release |   | 36,0 MB |
| 6e4bc82a-9fa9-442d-8be0-92ef529514e7.uterm.release |   | 33,9 MB |
| 7e10fc86-eb96-4b86-a0d4-95a45017944d.uterm.release |   | 36,0 MB |
| 169171df-70e1-4858-9d6f-9ba0885891a1.uterm.release |   | 36,3 MB |
| 29424243-0ba5-4e9b-b402-79d25cb6f8de.uterm.release |   | 50,3 MB |
| a6b08c6e-3b2d-4346-af31-a54397819878.uterm.release |   | 35,7 MB |
| b9b5b228-5d06-4bd5-999f-8f278d8022d4.uterm.release |   | 50,3 MB |
| c06c67d2-401c-4d6a-9bd2-25af7370392b.uterm.release |   | 33,1 MB |
| c9ae03c7-e90a-4f61-87e8-fb484272f30b.uterm.release |   | 35,9 MB |
| cd5f774c-1c0e-4da8-9411-e7538713f511.uterm.release |   | 36,3 MB |
| de06deab-2814-4496-9ad7-bd47cc9e6ecc.uterm.release |   | 35,9 MB |
| ffbba606-958e-40c1-9668-b8f1cbf13081.uterm.release |   | 50,3 MB |
|                                                    |   |         |



### Firmware update archive



## What's next?

- You can make your own modchip and use it to:
  - Further explore the network infrastructure
    - Not accessible as a normal user
    - Integrate the STSAFE with GRPC
  - Interact with the Digital BeamFormers and update their firmware
  - Repurpose your terminal?

```
[root@user1 bin]# ./ut silicon diag --dbf=1 --write csv=false
FSW peek/poke client created successfully.
Clearing Shiraz RFFE FIF0 Status register.
Functional read: 2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20
Engineering read: 2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.2
dbf_id,fem_id,func_reg_0F_00,eng_reg_0F_00
1,2,0x3B1C1B00C21AC3980E04AA401026414D,0x0000C4D91C25539B00621654970B3400
1,3,0xBB1A1800C21AC3980F059A040425C56D,0x8000D70A1D246099006214C945190AAD
1,4,0x36181800C21AC3980E04ACC02416416D,0x000025E91C21509900621654970C1788
 .5.0xBA1A1A00C21AC3980E0599041226C96D.0x8000D4EB1C23529A006214C94515B1B0
```



| 21 | 22 | 23 | 2 |
|----|----|----|---|
|    |    |    |   |



## Conclusion

- We can bypass secure boot using voltage fault injection in BL1
  - Quad core Cortex-A53 in a black box scenario
    - no documentation, no open development kits
  - Enabling and disabling of decoupling capacitors
  - Fault injection countermeasures are only as good as the fault model that was used
- This is a well-designed product (from a security standpoint)
  - No obvious (to me) low-hanging fruit
  - In contrast to many other devices getting a root shell was challenging
  - And a root shell does not immediately lead to an attack that scales
- SpaceX PSIRT was very responsive and helpful!
  - https://bugcrowd.com/spacex vulnerabilityreporting@spacex.com



# COSIC

github.com/KULeuven-COSIC/Starlink-FI



Iennert.wouters@esat.kuleuven.be

@LennertWo

BY HUMANS MADE EARTH ON

17V



Glitched on Earth by humans

100

UT RST

**3V3** 



```
NUTICE: BL20: Built : 16:55:25, Jul 17 2020
NOTICE:
        EMMC boot counter is 651
NOTICE: BL2: Patched on Earth!
NOTICE: BL2: Built : 01:17:09, Feb 5 2022
NOTICE:
        Evaluate 0x8102010 & 0xf == 0x4 -> 0
NOTICE:
        Evaluate 0x8102010 & 0xf == 0x8 -> 0
NOTICE:
        Evaluate 0x8102010 & 0xf == 0xc -> 0
NOTICE:
        Evaluate 0x8102010 & 0xf == 0x5 -> 1
NOTICE:
        Using alternate targetpack config index 3
NOTICE: BL2: end TP
NOTICE:
        BL31: Patched on Earth!
NOTICE: BL31: Built : 01:17:09, Feb 5 2022
U-Boot 2021.04-g84e5f81 (Feb 05 2022 - 01:17:09 +0000)
```

```
Model: Catson
DRAM: 1004 MiB
MMC:
       Fast boot:eMMC: 8xbit - div2
stm-sdhci0: 0
       serial
In:
Out:
       serial
Err:
       serial
CPU ID: 0x00020a01 0x868dc3eb 0x8332b785
sdhci set clock: Timeout to wait cmd & data inhibit
No SXID found
Detected Board rev: #rev2 proto4
FIP1: 3 FIP2: 3
BOOT SLOT B
Net: Net Initialization Skipped
No ethernet found.
```







- Arthur Beckers
- Gert Van Beneden
- Tim Ferrell
- John McMaster
- Dan Murray
- Colin O'Flynn

