I think the human race has no future if it doesn’t go to space. —— Stephen Hawking
Starlink is a low Earth orbit (LEO) satellite internet service provided by SpaceX. Users connect to near-Earth orbit satellites through a user terminal, which then connects to the internet via ground gateways.
![Basic architecture of the Starlink system [1]](https://hacktech.info/wp-content/plugins/trx_addons/components/lazy-load/images/placeholder.png)
As the new generation of satellites gradually incorporates laser links, some satellites can communicate with each other via laser. This both reduces reliance on ground stations and improves transmission efficiency, enhancing global coverage.
Even on the Ukrainian battlefield where there are no local ground stations, Starlink user terminals can indirectly access gateways in neighboring countries through inter-satellite links [1].
In this article, we provide a concise overview of DARKNAVY’s recent preliminary investigation into the Starlink user terminal.
Hardware Analysis
A complete Starlink user terminal consists of two parts: a router and an antenna. This article focuses on the antenna component (User Terminal Antenna, hereafter referred to as “UTA”). DARKNAVY purchased a Starlink Standard Actuated (also known as Rev3 or GenV2) user terminal in Singapore and disassembled its antenna portion.
As shown above, after disassembly, we found that the UTA’s PCB is almost as large as its outer shell. Most of the board is occupied by RF front-end chips produced by STMicroelectronics (left side in the photo), while the core control components are mainly concentrated on one side of the PCB.
Starlink Rev3 PCB (core area)
Aside from the RF antenna, the overall design of the UTA’s core area is quite similar to that of a standard IoT device. The main SoC, custom-made by ST for SpaceX, is a quad-core Cortex-A53. Currently, the hardware and datasheet for this chip are confidential and unavailable to the public.
At Black Hat USA 2022, Dr. Lennert Wouters from KU Leuven demonstrated a fault-injection attack against the first-generation Starlink antenna (GenV1) to obtain a root shell of the device. In response, SpaceX disabled the UART debug interface on the PCB via a firmware update to enhance fault-attack resistance. However, Wouters subsequently managed to break in again by refining his approach [2].
Firmware Extraction and Analysis
To analyze the UTA in depth, DARKNAVY directly dumped the firmware from the eMMC chip. Since no obvious eMMC debug pins exist on the Rev3 board, we had to desolder the eMMC chip from the PCB and read it using a programmer. Once extracted, we discovere
7 Comments
walterbell
https://web.archive.org/www.darknavy.org/blog/a_first_glimps…
latchkey
Discussions on similar submissions:
Teardown of the SpaceX Starlink User Terminal https://news.ycombinator.com/item?id=25277171 (December 2, 2020 — 158 points, 138 comments)
londons_explore
I'm surprised to hear all packets are processed in userspace…
If one is doing 1Gbps of traffic which is 100 byte UDP packets, that's a million packets per second you're gonna need to process.
A 1Ghz CPU only then gets 1000 cycles to process each one…
Very doable, but certainly not easy unless your engineers like hand coding assembly and having to think about every lookup table trick in the book…
jwrallie
> During device initialization, if the system identifies itself as a user terminal, the initialization script automatically writes 41 SSH public keys into /root/.ssh/authorized_keys. Notably, port 22 on the UTA remains open to the local network at all times.
Forty-one? So who does not have root access to "your" user terminal?
nine_k
Dear author, please consider fixing the typo in the title, it currently reads "Ternimal".
breppp
> DARKNAVY built a basic QEMU-based emulation environment for the Rev3 firmware
Anyone has links to resources about how to emulate a firmware that connects to external devices (GPS here), any ready solutions?
purpleidea
Post the 41 public keys, we can see which devs use them probably.