Belgian boffins dump Starlink dish terminal's firmware, gain root access and a few ideas

Belgian boffins have published a teardown of the Starlink user terminal – also known as Dishy McFlatface – in which they managed to dump the device's firmware that was housed on a eMMC card upon the PCB.

For the academics at the Katholieke Universiteit Leuven (KU Leuven), actually getting their hands on the firmware for later analysis proved to be a somewhat fraught process.

Although the hardware came with a UART (Universal Asynchronous Receiver Transmitter) port for USB debugging, SpaceX opted — perhaps for obvious reasons — to restrict access to those entrusted with development credentials. Still, it revealed some clues, particularly when it came to the boot process, with integrity and authenticity checks used to ensure the kernel had not been tampered with.

The KU Leuven researchers then turned their attention to the eMMC card, which contained the system image. SpaceX left 10 test points on the circuit board, which corresponded to the equivalent solder points on the eMMC chip. The academics were then able to create an ad-hoc logic capture device, using a memory card reader and a few carefully soldered wires and resistors, allowing them to dump the contents of the storage in-circuit.

The next hurdle came when the researchers attempted to read the firmware’s contents, as SpaceX uses a custom FIT (flattened image tree) format. Fortunately, these changes were publicly accessible, as the company deployed a modified version of U-Boot, and was forced to publish its changes in order to remain GPL compliant.

So far, the findings haven't yet been fully published, although the researchers claim they were able to access a root shell, without adequately explaining how they accomplished it. It is, however, understandable they wouldn't publish the entire dump with one eye on SpaceX's lawyers.

The researchers also made some observations about the quad-core ARM processor used to power the terminal, and its configuration, with each of the cores responsible for a specific task. They also noticed that on all consumer devices, all logins are disabled, effectively meaning the original attempt to access the device via the UART port was a dead-end.

This isn't the first teardown of Dishy McFlatface we've seen, although all prior warranty-destroying attempts focused on the physical hardware, rather than the software it runs. With a ticket price of $499, these endeavours are best left to those with deep pockets and a curiosity that exceeds their aversion to potentially ruining an expensive bit of kit.

You can read the teardown here. Note that SpaceX does have a bug bounty program, which you can access here. ®