Starlink星链破解那些事

0x00 Reference

鲁汶大学关于设备拆解Dump固件的内容
https://www.esat.kuleuven.be/cosic/blog/dumping-and-extracting-the-spacex-starlink-user-terminal-firmware/

I am excited to announce that our talk "Glitched on Earth by humans" will be presented at @BlackHatEvents!
I will cover how we glitched the Starlink User Terminal SoC bootrom using a modchip to obtain root.

This might be the first tweet sent through a rooted Starlink UT! #BHUSA pic.twitter.com/0XMMIidEKk
— Lennert (@LennertWo) May 19, 2022

鲁汶大学BlackHat议题 Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal PPT

点击以访问 US-22-Wouters-Glitched-On-Earth.pdf

之前有解读过解读：SpaceX Starlink 星链破解

乌克兰安全工程师Starlink路由器逆向分析

Everything you want to know about the Starlink router.

Warning: a lot of pictures inside.https://t.co/7RwIujNjQL
— Oleg Kutkov 🇺🇦 (@olegkutkov) December 25, 2021

Analysis and reverse-engineering of the original Starlink router

0x01分析

V1路由硬件

V1 SOC采用了高通IPQ4018

固件镜像:

固件解包后的详细内容列表可在https://github.com/cn0xroot/Starlink_Reverse 找到

Starlink route file list and ca listhttps://t.co/xNzMFxODBH pic.twitter.com/yI5PqBfR4A
— Re (@0x0Radio) December 27, 2021

固件解包后导入IDA

发现部分内部网络域名：

Found something interesting in #Starlink firmware pic.twitter.com/VEWvO5p1Yx
— Re (@0x0Radio) December 13, 2021

#Starlink satellite firmware dumped in nandflash, main component wifi_control developed by golang/google protobuf, go2exe, #spacex pic.twitter.com/PDpotR1qh0
— vessial (@vessial) December 13, 2021

访问该网络需要安全芯片认证：