Under the 59-cm diameter hood is a large PCB that houses a system-on-chip, including a custom quad-core ARM Cortex-A53 processor, the architecture of which isn’t publicly documented, making it harder to hack. Among other items on the board are radio frequency equipment, power over ethernet systems, and a GPS receiver. Opening up the dish allowed Wouters to understand how it boots up and download its firmware.
To design the modchip, Wouters scanned the Starlink dish and created the design to fit over the existing Starlink board. The modchip requires soldering to the existing Starlink PCB and connecting it using a few wires. The modchip itself is made up of a Raspberry Pi microcontroller
To get access to the dish’s software, Wouters used his custom system to bypass security protections by using the voltage fault injection attack. When the Starlink dish is turning on, it uses a series of different bootloader stages. Wouters’ attack runs the glitch against the first bootloader, known as the ROM bootloader, which is burned onto the system-on-chip and can’t be updated. The attack then deploys patched firmware on later bootloaders, which allows him to take control of the dish.
“From a high-level view, there are two obvious things that you could try to attack: the signature verification or the hash verification,” Wouters says. The glitch works against the signature verification process. “Normally you want to avoid shorts,” he says. “In this case we do it on purpose.”
Initially, Wouters attempted to glitch the chip at the end of its boot cycle—when the Linux operating system has fully loaded—but ultimately found it easier to cause the glitch at the start of the boot. This way was more reliable, Wouters says. To get the glitch to work, he says, he had to stop decoupling capacitors, which are used to smooth out the power supply, from operating. Essentially, the attack disables the decoupling capacitors, runs the glitch to bypass the security protections, and then enables the decoupling capacitors.
This process allows the researcher to run a patched version of Starlink’s firmware during the boot cycle and ultimately allows access to its underlying systems. In response to the research, Wouters says, Starlink offered him researcher-level access to the device’s software, although he says he declined as he had gone too deep with the work and wanted to build the modchip. (During testing, he hung the modified dish out of this research lab’s window and used a plastic bag as a makeshift waterproofing system.)