Glitched on Earth by Humans:

A Black-Box Security Evaluation of the SpaceX

Starlink User Terminal

Lennert Wouters
@LennertWo

COSIC #BHUSA @BlackHatEvents

 Starlink 101
Satellite Lower Earth Orbit (LEO)
Source: SpaceX

Laser link

Space
Earth
User Terminal (UT) Gateway
Source: u/darkpenguin22

This talk Internet

Source: SpaceX 2
3
 Teardowns

youtube.com/c/MikeOnSpace @mikeonspace youtube.com/c/KenKeiter @kenkeiter youtube.com/c/Thesignalpath @TheSignalPath

danmurray.net
@DanJMurray
youtube.com/c/ColinOFlynn @colinoflynn olegkutkov.me @olegkutkov 4
 Hardware revisions

Circular UT Square UT High Performance UT

• 59 cm (23,23″) diameter • 50 x 30 cm (19″ x 12″) • 57 x 51 cm (22″ x 20″)

• Residential • Residential and RV • Business and Maritime

• rev1_pre_production • rev3_proto0 • hp1_proto0

• rev1_production • rev3_proto1 • hp1_proto1
• rev1_proto1/2/3 • rev3_proto2
• rev2_proto0/1/3 Transceiver
• External phased array
• rev2_proto2 (SoC cut 3)
• transceiver_rev2p0/5
• rev2_proto4 (SoC cut 4)
This talk (but attack should apply to all UT hardware) 5
 Accessible connectors on V2*
UT TX UT RX

ethernet + power motors UART

JST BM10B-ZPDSS-TF(LF)(SN) JST BM05B-ZESS-TBT(LF)(SN)

*V1 hardware had an extra connector, V3 does

6
not have easily accessible connectors
 UART – U-Boot
(Newer firmware no longer uses this version)

U-Boot does not accept serial input

(on non-development/fused hardware)
7
UART – Login Prompt

8
 PCB overview
GPS receiver 59 cm (23,23″) Clock generation

GPS

SoC clock

POE

STM STA8089 GLLBLU 9

 RF Components

• (A) Digital BeamFormer (DBF)

• STM GLLBSUABBBA
• Codename: SHIRAZ
• (B) Front-End Module (FEM)
• Codename: PULSAR(AD)

A
• V2 hardware and up:
• 1 DBF → 16 FEMs
B

10
 Siliconpr0n

siliconpr0n.org/archive/doku.php?id=mcmaster:spacex:gllbsuabbba-shiraz id=mcmaster:spacex:gea-aa12-109d-tg02-pulsarad
Thanks to John McMaster!
@johndmcmaster 11
 • (A) System-on-Chip
• Custom quad-core ARM Cortex-A53
• ST Microelectronics
• GLLCCOCA6BF (cut 3?)
• GLLCCODA6BF (cut 4?)
• Codename: CATSON

B • (B) Secure Element

A
• STM STSAFE-A110

D C
• (C) 4GB eMMC
• (D) 2 x 4Gbit DDR3
D 12
 SoC
• through substrate image
• GLLCCOCA6BF (cut 3?)
• Thorlabs NIR camera
• Mitutoyo NIR objective 50x

• Can help narrow down

interesting locations for some
4 CPU cores
physical attacks

• Full resolution version will be

available on siliconpr0n.org!

13
Identifying eMMC test points

D0

CLK
CMD

14
 Reading eMMC in-circuit
What I did What I recommend
SD card reader
Low Voltage eMMC Adapter
by
TXS0202EVM
Level shifter

1V8

15
 Extracting the eMMC dump

• Split the dump into:

• TF-A Bootstages: Firmware Image Packages
• unpack with TF-A fiptool
• Flattened uImage Tree (FIT)
• unpack with U-Boot dumpimage
• SpaceX Runtime (dm-verity, error correcting codes)
• SpaceX Calibration (dm-verity)
• SpaceX EDR (LUKS)
• SpaceX dish config (LUKS)

• More details: U-Boot GPL sources: spacex_catson_boot.h

• esat.kuleuven.be/cosic/blog/dumping-and-extracting-the-spacex-starlink-user-terminal-firmware
16
Temperature and RF channels

17
Development geofences

18
Obtaining root

19
 Fault injection
✓ Flip-chip packaging exposes die backside
• Laser Fault Injection, Body Bias Injection, Electromagnetic Fault Injection
x PCB is too big for our automatic XYZ positioning equipment
• Likely cumbersome to do on a roof...
x No development kits

• Differential clock input

• (But PLL?)
• Reset line
• Voltage Fault Injection
20
 Crowbar VFI
• NewAE ChipWhisperer-Lite (~ $250)
• Glitch port is connected to the SoC core voltage
• Momentarily shorts core voltage to GND
• Core voltage:~1V, generated by TI TPS56C230
• All decoupling capacitors untouched at this point!
• Oscilloscope triggers on serial data
• Trigger output is input to the ChipWhisperer-Lite

• Glitch parameters controlled from Python

• Offset from trigger point
• Glitch width

21
Example output

22
 Results

✓ The Proof-of-Concept works

✓ Was reproduced by the SpaceX PSIRT
✓ Easy to produce (undesirable) faults
✓ A fully booted SoC is already being pushed to its limits

x Slow: 1 attempt every 12 seconds (one per boot)

x Low success rate: many hours for one good attempt
x Unreliable: successful glitch often also results in other errors

23
 STM/SpaceX ARM TFA-A

1. BL1 loads BL2 certificate from eMMC

2. BL1 verifies the certificate’s signature
3. BL1 loads the BL2 firmware from eMMC
4. BL1 verifies that SHA512(BL2) matches the hash contained in the certificate
24
 BL1 Glitch setup
• Try to boot with (in)valid signature, hash and firmware
• Try to glitch a valid certificate into a signature verification failure

25
 Normal boot
“INFO: Image id=6 loaded at address 0x30209000, size = 0x90”
→ Certificate has been loaded
UART
EM side-channel

x 10e6 samples

Signature verification
26
 Glitched boot

“INFO: cert_nv_ctr : 1”
→ Signature verified and the rollback counter is 1
UART

EM side-channel

x 10e6 samples

Signature verification skipped?! 27

 ROM Bootloader (BL1)

• Mapped at 0x30000000 and readable from BL2!

• BSEC eFuses mapped at 0x22400000 (shadow registers)

• Emulated the ROM bootloader using Unicorn Engine

github.com/unicorn-engine/unicorn
• Fuzzed using AFL++ in Unicorn mode

• Simulated instruction skip faults in Unicorn Engine

• Single instruction skip faults do not result in the observed behavior! github.com/AFLplusplus/AFLplusplus

• Code has some control flow checks and redundant operations

• Skipping two consecutive instructions does result in the observed behavior
• (Actual fault model is likely to be different)

28
 BL1 glitch detection example
BL1 UART output
INFO: BL1: Get the image descriptor
INFO: BL1: Loading BL2 Certificate has been loaded
INFO: Loading image id=6 at address 0x30209000 Contains invalid signature but
INFO: Skip reserving region [base = 0x30209000, size = 0x90]
valid digest of BL2 firmware
INFO: Image id=6 loaded at address 0x30209000, size = 0x90

INFO: cert_nv_ctr : 1 Signature verification succeeded!

INFO: plat_nv_ctr : 0
INFO: Loading image id=1 at address 0x30209000 Loaded BL2 firmware and
INFO: Image id=1 loaded at address 0x30209000, size = 0xf178 verified hash digest
NOTICE: BL1: Booting BL2
NOTICE: plat_error_handler err = -80
Final control flow check detects
INFO: Authentication error !!! our glitch! 

29
BL1 glitch detection example

1 2

Called right before passing control to BL2 30

 Enabling decoupling capacitors

• Decoupling capacitors
are needed for later boot
stages
• Experimented with:
• N-channel MOSFETS
• P-channel MOSFETS
• High/Low side switching
• Gate voltage
• MOSFET drivers
• Capacitor sizes
• Timing

31
 Researcher access
• Demonstrated a full attack in the lab!
• But the setup is still too bulky to be used in a practical setting (e.g., on the roof)
• SpaceX offered an easy way out: SSH access through a Yubikey
• But I was already too far down the rabbit hole …

32
 Creating a mobile setup

• Replacing lab
equipment with
low-cost off-the-
shelf components
• RPI Pico replaces
oscilloscope and
ChipWhisperer
• Works
• But still messy…

33
 PCB design
• Scanner @ 600 DPI
• Draw board outline at real size in Inkscape
• Load in KiCad and use in the edgecuts layer

34
 Modchip

Castellated holes to mount to the UT PCB

Glitch/crowbar MOSFET

Decoupling MOSFETs
6 cm
RP2040 @250MHz 2,36″
2 channel MOSFET driver
PIO for triggering
and glitch generation

0,8 mm
Available on GitHub!
35
 Installed modchip

Core voltage regulator

enable pin
(for power cycling)
1V8 for
level shifter

12V for MOSFET drivers

and standalone power

36
37
 SpaceX strikes back

• I did a firmware update…

• Previously unused eFuse is now blown and disables UART output
• Modchip was designed to trigger on UART

38
 Adapt

BEFORE

AFTER 39
 Overcome

• Trigger on eMMC D0 instead of UART

• Modchip could be easily adapted
• Disconnect UT UART TX
• Connect to eMMC D0
• Update glitch parameters from Python
• Alternative: new PCB revision

40
 Network exploration
• All interesting communication uses mutually authenticated TLS (STSAFE)
• Added STSAFE support to the tlslite-ng TLS implementation
• Python script to download the latest firmware updates
• Mostly IPv6 2620:134:b000::1:0:0
• Open ports (nmap): 8001-8012, 9000, 9003, 9005, 9010, 9011
Firmware update archive

41
 What’s next?
• You can make your own modchip and use it to:
• Further explore the network infrastructure
• Not accessible as a normal user
• Integrate the STSAFE with GRPC
• Interact with the Digital BeamFormers and update their firmware
• Repurpose your terminal?

42
 Conclusion
• We can bypass secure boot using voltage fault injection in BL1
• Quad core Cortex-A53 in a black box scenario
• no documentation, no open development kits
• Enabling and disabling of decoupling capacitors
• Fault injection countermeasures are only as good as the fault model that was used

• This is a well-designed product (from a security standpoint)

• No obvious (to me) low-hanging fruit
• In contrast to many other devices getting a root shell was challenging
• And a root shell does not immediately lead to an attack that scales

• SpaceX PSIRT was very responsive and helpful!

• https://bugcrowd.com/spacex [email protected] 43
 COSIC
github.com/KULeuven-COSIC/Starlink-FI

[email protected]

@LennertWo
Demo!

45
 Thanks!

• Arthur Beckers
• Gert Van Beneden
• Tim Ferrell
• John McMaster
• Dan Murray
• Colin O’Flynn

46