Starlink-FI Is a Raspberry Pi RP2040 "Modchip" for Code Execution on the Starlink User Terminal

Designed to bypass security features through voltage fault injection, this piggyback board opens up Starlink terminals for exploration.

Security researcher Lennert Wouters and colleagues at the Computer Security and Industrial Cryptography (COSIC) group at KU Leuven have developed a "modchip," which unlocks the Starlink User Terminal hardware — bypassing protections against running custom code through voltage injection.

"We managed to execute arbitrary code on the Starlink User Terminal using a custom modchip that performs voltage fault injection," Wouters explains. "The modchip can be used to bypass signature verification during execution of the System-on-Chip (SoC) ROM bootloader (BL1). This allows [you] to execute arbitrary code on the SoC from BL2 onwards and allows to further explore the Starlink User Terminal and networking side of the system."

SpaceX launched the first satellites in the Starlink constellation in 2019 followed by a commercial satellite broadband offering under the same name in 2021. Customers receive a custom-built satellite dish and the "Starlink User Terminal," a pizza-box computer that handles transmission to and reception from the satellite constellation and converts it to terrestrial communications standards for use with off-the-shelf equipment including smartphones, tablets, and PCs.

Out of the box, the Starlink User Terminal is heavily locked down — which is where Wouters' project comes in. Inspired by the "modchips" that unlock copy protection in games consoles, the Starlink-FI board is driven by a Raspberry Pi RP2040 microcontroller running MicroPython and sits on top of a lightly-modified User Terminal motherboard.

Given a modified copy of the contents of the Terminal's eMMC storage, the modchip creates faults by injecting unexpected voltages at various points in the hardware — glitching its way past security protections and unlocking the ability to run arbitrary code.

The project does come with some caveats, however — the biggest of which is that the board layout is based on the circular variant of the Starlink User Terminal. "The same attack should work on the square user terminal," Wouters notes, "but will require you to create a new PCB design." The team has also stated that it will not be selling finished boards nor providing patched firmware or the precise parameters required for successful glitching. "The presentation slides contain various hints," Wouters says, "and the parameters will vary depending on how you patch the firmware."

The PCB design files, source code, and the slide deck from Wouters' Black Hat USA 2022 presentation on the topic are available on the project's GitHub repository, along with the warning that installation will immediately void your Starlink User Terminal's warranty and "may result in permanent damage."

Gareth Halfacree
Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.
Latest articles
Sponsored articles
Related articles
Latest articles
Read more
Related articles